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ABSTRACT 


In this thesis, we study a type of affine equivalence for the monomial rotation-symmetric 
(MRS) Boolean functions and two new construction techniques for cryptographic Boolean 
functions based on the affine equivalence of cryptographically strong base functions and 
fast Boolean operations. Affine equivalence of cryptographic Boolean functions presents 
a formidable challenge to researchers, due to its complexity and size of the search space. 


We focus on an affine equivalence based on permutation of variables for MRS Boolean 











functions and their relationship to circulant matrices over the binary field F, and regular 





graphs. We first establish a relationship between generalized inverses of circulant matri- 











ces in F», and their generating polynomials. We then apply the relationship to gain insight 





into necessary conditions for the affine equivalence, based on permutations of variables for 
MRS Boolean functions. We also propose a theoretical connection between regular graphs 
and MRS Boolean functions to further our study in affine equivalence. Finally, we present 
two constructions for Boolean functions with good cryptographic properties. The con- 
structions take advantage of two affine-equivalent base functions with strong cryptographic 
properties. We analyze the cryptographic properties of the constructions and demonstrate 


an application with these base functions, called the hidden weighted-bit functions. 
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1. INTRODUCTION 


As we connect to the Internet with increasing frequency for various services, the 
need for secure communication is higher than ever before. The ability to email or socialize 
electronically with the world in a secure and stable manner is crucial for today’s global 
citizen. We want our financial transactions over the Internet to get processed without error. 
Cyber warfare between nations and industrial espionage among corporations are common- 
place. A nation’s infrastructure networks need impregnable protection. We are living in 
a fast moving, networked world, and any compromised or misintended information may 
result in catastrophic consequences. It is therefore a paramount requirement of every elec- 
tronic communications network system that it provide every authorized user. 

Due to the Internet revolution, the application of cryptography is no longer limited 
to corporations or government agencies. Any entity on the Internet has the need to protect 
information in storage and data in transit to another part of the network. This protection, 
attained via complex (mostly mathematical) schemes called cryptosystems, is an integral 
part of any reliable network service. At the heart of every cryptosystem is a cipher. A 
cipher is a set of algorithms used to encrypt and decrypt a message. An encrypted message 
in any language is called ciphertext, and an unencrypted message is called plaintext. In 
general, there are two types of cryptosystems; asymmetric and symmetric. The security of 
a modern electronic cipher often depends on secret keys that are essential for encryption 
and decryption processes. An asymmetric cipher uses different keys to encrypt and decrypt 
a message, and the connection between the encryption and decryption keys is based upon 
a known (and well studied) mathematical problem. RSA (the initials of the surnames of 
its designers, Ron Rivest, Adi Shamir and Leonard Adleman) is a well known asymmetric 
cipher. Compared to symmetric ciphers, asymmetric ciphers are generally slow. However, 
asymmetric ciphers have added more functionality, such as message authentication and 
digital signature and are more efficient in secret-key management, since they require fewer 


secret keys. A symmetric cipher uses the same secret key to encrypt and decrypt a message. 


It is faster than asymmetric cipher, but requires more secret keys, since each pair of users 
on the network needs to have a unique key. This makes secret-key management a difficult 
task. Depending on how a symmetric cipher processes a message before encryption or de- 
cryption, a symmetric cipher can be further classified into a block or stream cipher. A block 
cipher breaks down a message into 64, 128, 192 or 256 binary bit blocks and encrypts the 
message by blocks. The decryption of a block cipher is usually accomplished by revers- 
ing the encryption process. Data Encryption Standard (DES) and Advanced Encryption 
Standard (AES) are well known examples of block ciphers. On the other hand, a stream 
cipher encrypts and decrypts a bit at a time. For example, GSM (Global System for Mobile 
Communications), a wireless communications protocol, uses a stream cipher called A5/1. 

The subject of this thesis, cryptographic Boolean functions, applies to both ciphers 
— asymmetric and symmetric. Boolean functions can be key components to hashing al- 
gorithms of asymmetric ciphers. Cryptographic Boolean functions can also be an element 
for block cipher design and analysis. A good illustration of this is DES. Figure 1.1 shows 
the DES encryption process. Despite all the seemingly complex procedures and diagrams, 
the only nonlinear component in DES is the substitution process in the function f, which 
uses a lookup table called substitution box or S-box to simply shuffle data. Surprisingly, 
in DES, the S-boxes are the only component that integrates significant complexity to the 
cipher. The S-box is the keystone of the security of DES. The same is true for AES. It is 
possible to analyze an S-box with cryptographic Boolean functions and measure the secu- 
rity of a block cipher against known attacks. We can also design another set of S-boxes for 
DES, which optimizes certain cryptographic properties of Boolean functions [1]. 

The two important qualities of a cipher are security and speed. They often con- 
flict with each other and affect the decision to choose the optimum cryptographic Boolean 
functions for a cipher. The two broad topics of this thesis are the affine equivalence and 
construction of Boolean functions with good cryptographic properties. A cryptographic 
Boolean function of n variables takes an n dimensional Boolean vector and maps it to 0 or 


1. Two Boolean functions are affine equivalent if we can obtain one from the other through 
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Figure 1.1: Data Encryption Standard (DES) Diagram From [2] 


a set of affine transformations. By reflexivity, symmetry, and transitivity, the affine equiv- 
alence is an equivalence relation. Therefore, it partitions any set of Boolean functions into 
equivalence classes. A cryptanalyst can take advantage of the partitioning to devise an ef- 
ficient algorithm to test the security of a cipher. He needs only to consider the equivalence 
classes instead of all possible Boolean functions for the cipher, since affine transformations 
preserve many of the cryptographic properties. On the other hand, cryptographic engineers 
can integrate affine equivalent functions with good cryptographic properties for speed and 
simplicity. For example, instead of using the same function, they may use affine equiva- 
lence classes of the function to increase security. They can also avoid the equivalence class 
of a cryptographically weak function, since they are inherently a security risk. Affine equiv- 
alence is notoriously complex and often requires unrealistic computing resources. In this 
thesis, we focus on an affine equivalence of monomial rotation-symmetric (MRS) Boolean 
functions. A rotation-symmetric Boolean function (RSBF) is a Boolean function such that 
a Boolean vector and its rotation equivalents render the same function value. For example, 


if a Boolean function f(x) is a RSBF of three variables x = (x1, 72, 73), then the vector 


(0, 0, 1) and its rotation equivalents (1,0,0) and (0, 1,0) have the same function value. In 
other words, f((0,0,1)) = f((0,0,1)) = f((0,0,1)). RSBFs are well known for their 
speed [3], and some cryptographically strong Boolean functions are rotation symmetric. 
An MRS Boolean function is a special type of RSBF, which we formally define in Chapter 
4. Construction techniques of cryptographic Boolean functions may be less relevant to the 
ciphers, such as DES and AES, since they use key-invariant S-boxes. However, ciphers 
such as BLOWFISH and TWOFISH use key-dependent S-boxes. Efficient construction 
techniques for S-boxes can be a crucial part of the ciphers with dynamic S-boxes. We 
study two techniques using affine equivalence of cryptographically strong base functions 
and two simple Boolean operations, concatenation and complementation. These construc- 
tions provide the flexibility to choose a customized base function with good cryptographic 
properties, as well as speed due to the simplicity of the Boolean operations. We also present 
an application of our methods, using the hidden weighted-bit function, which is resistant to 
a binary decision diagram (BDD)-related attack. 

The rest of the dissertation is outlined as follows. 

In Chapter 2, we formally define basic terminology and principles of cryptographic 
Boolean functions. We illustrate applications of cryptographic Boolean functions and re- 
view common cryptographic properties. 

In Chapter 3, we delve into circulant matrices and introduce some results regarding 
the general inverse of circulant matrices. We study a necessary condition for an affine 
equivalence based on a permutation of input variables for MRS Boolean functions. 

In Chapter 4, we study the relationship between MRS Boolean functions and regular 
graphs. We establish a basic relationship and suggest other possibilities. 

In Chapter 5, we study two different ways to construct Boolean functions with good 
cryptographic properties via affine transformation, concatenations, and complementations 


of cryptographically strong base functions. 


In Chapter 6, we briefly introduce BDD and cryptanalysis based on its properties. 
We present an application based on hidden weighted-bit function for our construction meth- 
ods. We analyze cryptographic properties of these constructions. 

In Chapter 7, we summarize and reflect on the main contribution of this thesis. We 


also suggest some ideas for future research. 
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2. CHARACTERISTICS OF CRYPTOGRAPHIC BOOLEAN 
FUNCTIONS 


2.1. BASIC DEFINITIONS AND FUNDAMENTAL PROPERTIES 


First, we introduce a commutative binary operation, “exclusive-or” or XOR, de- 


noted by “@)” over the set {0, 1}. The Table 2.1 shows the truth table for the XOR opera- 


tion. 














@®lo}1 
0 |0/} 1 
1 )/1/)0 

















Table 2.1: Binary Operation XOR 


We also define a multiplication in {0, 1} in the usual way. This operation is equiva- 


lent to logical “AND” operation. The Table 2.2 shows the truth table for the multiplication 











operation. 
0/1 
0|01|0 
1/0) 1 




















Table 2.2: Binary Operation - 


We note that {0, 1} with @ and - forms the smallest Galois field. 


Definition 2.1.1. Let the set {0, 1} with the XOR operation and the usual multiplication 














be the binary or Boolean field, denoted by F2. The set of n-tuples (21, 22,..., Zn), denoted 






































by F5 where x; € F2 with 1 <7 < nis ann dimensional vector space over Fo. 


We use the terms Boolean vectors and Boolean strings interchangeably. The Boolean 





vector space has many common properties of other vector spaces, such as IR” and C”. 











We now proceed to define a Boolean function of n variables. 


Definition 2.1.2. We define a Boolean function f of n variables as a mapping 




















f : as —_ Fo. 








A Boolean function f takes an n dimensional vector of 1’s and 0’s as input, and returns 1 
or 0 as the function value. We denote the set of all Boolean functions of all variables as B, 
and the set of all n variable Boolean functions as 6,,. We use the terms “Boolean function 


of n variables” and “Boolean function” interchangeably. 


By applying the product rule of combinatorics, we observe that the domain of 
f € B, has cardinality 2”. We usually order the domain in a lexicographical order. We 
distinguish two types of lexicographical ordering, depending on how the elements of the 
vector domain are ordered. One is the backward ordering, where we order the components 
of the vector x such that x = (%,%n_1,-.-,¥2,21). Therefore, the domain vectors are 
lexicographically ordered such that (0,0,...,0,0), (0,0,...,0,1),...,.(1,1,...,1,1). The 
other is the forward ordering, where we order the components of the vector x such that 
X = (X1,%2,...,€n—1,Lp). Therefore, the domain vectors are lexicographically ordered 
such that (0,0,...,0,0), (1,0,...,0,0),...,(1,1,...,1,1). When we say “lexicographical 
order’, we mean the backward ordering, unless stated otherwise. For convenience, we 
regard the vectors as row vectors and use forward ordering unless stated otherwise. 

The most popular way to define a Boolean function of n variable is to list the 
function values as they match the lexicographically ordered domain, which results in a 
2” dimensional Boolean vector or string. The first column of Table 2.3 depicts a Boolean 


function of 3 variables, f(x) with its truthtable 10011101. 


Remark 2.1.3. For convenience, we note that f means the truth table representation of a 


Boolean function f, and f(x) means the function value at the particular vector x. 


Definition 2.1.4. Given a Boolean function f, the complement of f , denoted by f, is f@1. 


We observe that f merely flips or changes the function values of f. That is, if 
f(x) = 1, then f(x) = 0, and if f(x) = 0, then f(x) = 1. The complement of the function 
on Table 2.3 is 01100010. 


Lemma 2.1.5. f 6 f = 0, and f © f = 1 where 0 = (0,0,...,0) and 1 = (1,1,...,1). 


Remark 2.1.6. For convenience, we use string and vector notations interchangeably in this 


thesis. For example, 10011101 = (1,0,0,1,1,1,0, 1). 


By the product rule of combinatorics, there are 2?" Boolean functions of n variables. 











Another operation commonly used in F is concatenation. 





Definition 2.1.7. Given two Boolean vectors, f = a,d2...@ , and g = bybo...b, with 











a;, b; € F2 and m and n in N, the concatenation of f and g, denoted by f || g, isanm-+n 





vector obtained by simply combining the elements of f and g in order. That is, 


f | G03 «Gy bide. Dp: 


Example 2.1.8. Table 2.3 shows the various expression of a Boolean function. It is inter- 


esting to note that f = 1001 || 1101, where 1001, 1101 € By and f € B3. 


Another way to express the truth table is to take —1 to the power of the function 








value. This set up gives us more options to aggregate some Boolean measures in R. 


Definition 2.1.9. Given the truth table of a Boolean function f (x), we define the character 


form or sign function [4, p. 6] of f(x), denoted by f(x) 


It is clear that f(x) € {—1, 1}, and also f(x) = 1—2- f(x). 


The second column of Table 2.3 depicts a Boolean function of 3 variables f(x), 
as —1,1,1,—1, —1, —1, 1, —1 in sign function. The next lemma describes the relationship 


between the truth table and the sign function. 
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Lemma 2.1.10. [4, p. 6] [f f, 9 € B, andh = f ®g, thenh = f 9G. 


We call a multiplication term of Boolean variables, regardless of the power of each 
variable, a monomial. For example, 7, - 2§ - 73 = 2 23 is a monomial. Given x = 


({n,...,21) with x; = {0, 1} and 1 <i < n, we observe that 


for k € N. We can write a polynomial-like expression for Boolean functions, using mono- 
mials and ©. When we list the all the possible monomials in lexicographical order, we can 
regard the set of all the Boolean functions of n variables as the set of the all possible XOR- 


combinations of n variable monomials. We can also assign a unique 2” dimensional vector 











over F, to all possible monomials to write an XOR combination of n variable monomials 





in the following way. 


Definition 2.1.11. The algebraic normal form (ANF) of a Boolean function f(x) is an 


XOR sum of monomials such that 











j=2” 
= Dc: ee ee oie 
ack? 
pe 
where a = (aj, Qo, ... Gn), C = (C1, C2,..., Con), and a, c; € F, for? = 1,2,..., orn 





and fer or 2”, 


Example 2.1.12. The expression below illustrates the ANF of f(x) below. Typically, we 
order the vector a lexicographically and obtain binary string f(x) = 0001000000001000 
of length 2” long. 
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F(x) = 11220 13%4 


0,,0,,.0,,0 1,,0,,0,,0 0,,1,,0,,.0 1,,1,,0,,0 0,,0,,1,.0 


O20, Sb a1 ses ea 1 ey be 
0D iO eotat, Daves DOC 5e.0, 0 - 2,050.07: 


We also note that the ANF of a Boolean function is unique. 


A Boolean function may be better understood with one expression type of f(x) than an- 
other. We transform an ANF of a Boolean function f(x) to the truth table of f(x) by 
simply evaluating the function value with the ANF. We can transform a truth table in Table 
2.3 into an ANF expression by adding the monomials derived by the input values x such 


that f(x) = 1. We demonstrate this process in the next example. 


Example 2.1.13. The truth table of the Boolean function, f(x) on Table 2.3 is 10100111, 
where f(000) = f(010) = f(101) = f(110) = f(111) = 1. We construct each term to 
ensure that f(x) = 1 whenever x happens to be one of the vectors listed. For example, 
since f (011) = 1, we want to have the term 7127(73 1) for x; = 1, v2 = 1, x3 = 0. And 


we apply this to each x with f(x) = 1 to obtain 


SY 
sad 
| 


(x3 ®1)(x2 @ 1) (a1 @ 1) © (x3 © 1)xax1 © 13(x2 @ 1)a1 


Oxr3%o(L1 OB 1) @ r3r9X1 


162, 62726 71-730 21+ £° X3. 


1B) 
































m= 3 | fex) | fx) | ANF) 
000 [ 1 [ -l I 
oor | 0 [ 1 I 
010 | 0 | 1 I 
Ol a are 0 
100 | 1 | -1 0 
101 | 1 | -1 I 
110 | 0 | 1 0 
lit | i | -l I 




















Table 2.3: Various Representation of a Boolean function f (x) 


There is a more efficient way to construct the ANF from the truth table (and vice 


versa), called transeunt triangle, and we refer to [5]. 


Definition 2.1.14. The ANF of a Boolean function gives us some important measures on 
the function. In an ANF, the number of variables in the highest-order monomial with 
nonzero coefficient is called the degree of the Boolean function. A Boolean function is 
homogeneous if all its ANF terms have the same degree. A Boolean function is nonhomo- 


geneous if it is not homogeneous. 


Example 2.1.15. The function in Example 2.1.12 is a homogeneous Boolean function with 
degree 2, whereas the function below is a nonhomogeneous Boolean function with degree 


ay 


f(k) = 2122 O 11 19F3L405. 


The degree of a Boolean function is one of the most important cryptographic proper- 
ties in a cipher. We discuss the cryptographic implications of the degree in the next section. 
A Boolean function of degree “at most, one” is an affine function. An affine function with 
the constant term equal to zero is called a Jinear function. The set of all n variable affine 
(respectively linear) functions is denoted by A, (respectively L,,). 

Let f € B, and EF be any flat (that is, a coset of a vector subspace). If the restriction 
flex of f to E is constant (respectively affine), then E is called a constant (respectively 


affine) flat for f. 
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Let 














ly = {x € Fo[f(x) =} 


be the support of a Boolean function f. We define the complement of the support 











Of = {x € Fy] f(x) = Of. 





We also note the usual dot-product operation of two vectors in the context of Boolean 











vectors. Let x = (%p,...,%1) and w = (wWp,..., wi) both belonging to F} and x-w = 





LnWn O...BX1UW}4. 


Definition 2.1.16. The number of 1’s in a binary string or vector x denoted by wt(x), is 


called the Hamming weight. 


We can apply the same idea to the truth table of a Boolean function f. The Ham- 
ming weight of f is the Hamming weight of the truth table of {. The Hamming weight of 
the Boolean function on Table 2.3 is 5. We also observe that the cardinality of 1, is the 


Hamming weight of /. 


Lemma 2.1.17. Given f € By, 


wt(f) = So f(x) = | 2"- SOF) 


xeF? xeF? 
Definition 2.1.18. Given two binary vectors (or strings) of same length, x = (x, £2, ... Xn) 
and y = (1, Y2,---Yn). The Hamming distance, denoted by d(x, y), between the two vec- 


tors is the number of indices where they have different binary values. 


For example, if x = (0, 1,0,0,0,0,0) and y = (1,1,1,1,1,1,0), d(x, y) = 5 since the 


elements of x and y are different in the indices 1, 3, 4, 5, 6. 


Lemma 2.1.19. Given two Boolean functions of n variables f = x1,%,...%, and g = 


Y1; Y2,---, YR in truth table, d(f, g) = wt(f @ g). 
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Lemma 2.1.20. For two Boolean functions f and g, 


d(f, 9) =2" 1 - =f 9. 


Next, we introduce an important measure of Boolean functions. 


Definition 2.1.21. [4, p. 7] Given a Boolean function f, the Walsh transform of f ona 


vector w is an integer value function defined by 


W(f)(w) = >> f()(-1)"*. 


xeEFF 


We can recover f by the inverse Walsh transform, 


Fo) = SW (A(w)(-1)"* 


xeFF 


Another way to measure a Boolean function is the Walsh transform of f on w, denoted by 


W;(w). We refer to it as the Walsh-Hadamard transform of f(x). 


Welw) = fae 


The Walsh transform of f on w essentially measures the Hamming distance be- 


tween f and the linear function defined by the vector w, which is 





WX = WX BD WoL. B+ PWpLn. 


We use this result to define the nonlinearity of a Boolean function in the next section. 
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Next, we discuss a concept analogous to a “directional derivative” [4, p. 38]. Given 
a Boolean function f(x) and an arbitrary vector u, we can consider a measure on f (x) with 


respect to a vector u. 


Definition 2.1.22. Given a Boolean function f, the derivative of f with respect to a vector 


u, denoted by D,, f, is defined by 


Duf = f(x) ® f(x @u). 


If f(x) = f(x @u), Dif = 0. If f(x) # f(x @u), Dif = 1. Therefore, 


>> D.f (x) counts the number of input values in which function values change when the 
xeFS 


change in direction of u is applied. We can apply the same idea to f and obtain Dy f = 











f(x) f(x @ u), so that Dy f € {—1, 1}. When we aggregate D,,f over x € F%, we have 





the following definition for measuring how sensitive a Boolean function is in the domain. 














Definition 2.1.23. [4, p. 8] The autocorrelation function of f € B, with respect tou € F%, 
denoted C';(u) is defined by 


We note that C(O) = 2”. 

The autocorrelation function measures the overall change of f as a result of the shift 
or change caused by a vector u in the domain. We argue that if the overall change is half 
of 2”, the statistical impact of the shift of u is zero. This notion gives us a cryptographic 
property called the strict avalanche criterion (SAC), a concept invented by Webster and 


Tavares and published in Crypto 85, which we elaborate in the next section. We can apply 
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a similar idea to the autocorrelation function of two Boolean functions and measure how 


they are related to each other with respect to a vector. 


Definition 2.1.24. [4, p. 8] The correlation between two Boolean functions f and g is 


defined by 


d(f, 9) 
Qn-1 x 














The correlation function between f and g with respect to u € F% is an integer 





valued function defined by 


S-boxes of block ciphers may employ multiple cryptographic Boolean functions. 
We want to reduce the correlation between functions as well as the autocorrelation function 
values of each function used, to minimize the risk of a correlation attack. 

The concept of a derivative gives us another interesting measure of a cryptographic 


function, namely linear structure. 











Definition 2.1.25. [6], [7] If the derivative of f € 6, in respect to the u € F¥, Duf is 





constant, then u is a linear structure of f. If the linear structures of f form a subspace in 














Ky, we call this subspace a linear space of f. 


Depending on the constant derivative, we can further classify a linear structure u 
into two types 0—linear structure, denoted by LSo(f) if Du f = 0, and 1—linear structure, 


denoted by LS\(f) if Duf = 1. 


Theorem 2.1.26. [8] Jf LS,(f) 4 ¢, the dimension of the entire linear space of f is equal 


to 


dim(LSo(f)) + 1. 
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In [9], the concept of linear structure was used to show that the strict avalanche 
criterion is local in the sense of a derivative, and may not be enough to protect a block 


cipher from a statistical attack. 
2.2. APPLICATION OF CRYPTOGRAPHIC BOOLEAN FUNCTIONS 


In this section, we briefly comment on some applications of cryptographic Boolean 
functions. Boolean functions are typically used for the construction of S-boxes for block 
ciphers, nonlinear filters for a linear-feedback shift register (LFSR), nonlinear combiners 


for multiple LFSRs in a stream cipher, or hashing functions in an asymmetric cipher. 


2.2.1. Block Ciphers 


A block cipher breaks down the text into blocks of some size, and enciphers and de- 
ciphers it block by block. Boolean functions play a crucial role in analyzing and designing 
block ciphers. The two prominent techniques to design a block cipher are Feistel ciphers 
and substitution permutation networks (SPNs). Regardless of the scheme, it uses substitu- 
tion boxes or S-boxes. For example, DES uses eight fixed S-boxes, which convert a six-bit 
input string to a four-bit string. Table 2.4 shows the first S-box of DES, which consists 


of four lookup tables numbered 0 through 15. Each row can be represented by a vecto- 




















rial Boolean function, F(x) : F; — F%, which can be composed with four four-variable 
Boolean functions. Each function takes a six-bit string and extracts the first and the last bit 
to determine which row of the table to use. Then, the middle four bits process through the 
vectorial function to output the substitution value. Table 2.5 shows the Boolean represen- 
tation of the first S-box, and Table 2.6 lists the four cryptographic Boolean functions for 
the first row of the first S-box. 

Typically, S-boxes are the only nonlinear features in a block cipher. Without non- 
linear S-boxes, almost all block ciphers could be solved with little effort. Therefore, when 
designing an S-box for a block cipher, we must consider known relevant cryptographic 
characteristics of S-boxes to optimize their security. In [1], a complete set of replacement 


S-boxes for DES based on Boolean functions is presented. 
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Table 2.4: Ist S-box of DES in Decimal From [4, p. 170] 





Row\Col | 0000 | 0001 | 0010 | 0011 | 0100 | 0101 | 0110 | O111 


00 1110 | 0100 | 1101 | 0001 | 0010 | 1111 | 1011 | 1000 
01 0000 | 1111 | 0111 | 0100 | 1110 | 0010 | 1101 | 0001 
10 0100 | 0001 | 1110 | 1000 | 1101 | 0110 | 0010 | 1011 
11 1111 | 1100 | 1000 | 0010 | 0100 | 1001 | 0001 | 0111 























Row\Col | 1000 | 1001 | 1010 | 1011 | 1100 | 1101 ) 1110 | 1111 


00 0011 | 1010 0110 ) 1100 ; 0101 | 1001 | 0000 | 0111 
01 1010 | 0110 | 1100 | 1011 | 1001 | 0101 | 0011 | 1000 
10 1111 | 1100 | 1001 | 0111 | 0011 | 1010 | 0101 | 0000 
11 0101 | 1011 0011 ) 1110 |) 1010 | 0000 | 0110 | 1101 


















































Table 2.5: 1st S-box of DES in Binary 



































Col Boolean Function (ANF and Truth Table) 

1 1DBx G3 OL4 DP LaL3 DB L3L4 DB L1LoTZ OD LoT3X4 
1010011101010100 

) 1@xr3 O@L4 O L1L2 O L173 D LaL4 BLL L4 
1110010000111001 

3 1@ 2X1 OP Lq OL Lq O 1173 OD LoT3 PB X1L4 OD LoL4 OB L3L4 OB 11 T3L4 DB T2X3L4 
1000111011100001 

4 G2 Bl4O L173 OP Xj1L4 DL L9X4 
0011011010001101 














Table 2.6: Boolean Function Representation of the First Row of the First S-box of DES 


The S-boxes in DES are predetermined and typically implemented as a lookup table 
for simplicity. However, block ciphers, such as BLOWFISH [10] and TWOFISH [11], do 
not use fixed lookup tables (S-boxes), since they generate S-boxes from the key for each 


session. 
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Dedede Stream Ciphers 


A stream cipher encrypts a plaintext bit by bit with secret-key stream bits. In gen- 
eral, an XOR operation of a plaintext bit and secret-key stream bit results in a ciphertext bit. 
A stream cipher integrates pseudo-random bit generators (PRBG) to produce a key stream. 
In electronic circuits, a shift resister is a sequential logic circuit for storage of binary data. 
It is set up in a linear fashion such that the stored data is shifted to a predetermined direction 
when the circuit is on. A linear-feedback shift register (LFSR) is a shift register which takes 
the output of a linear function of two or more bits from its previous state [4, p. 19]. We 
assume an LFSR has n > 1 variables. Table 2.7 shows the LFSR sequence generated by 
the Boolean function of 4 variables, x; @ x4 with the initial vector x = 11% 9%3%, = 0101. 
For example, from the initial vector, 7; = 0 and x4 = 1. Therefore, 7, 62, =O @G1l=1. 
This feedback sets the next 7, = 1, and the previous 71, x2, and x3 shift to v2, x3, and x4, 
respectively, which sets the next state, x = 71%2%37%4 = 1010. It repeats this process until 
the LFSR obtains the initial vector again. The number of steps needed to reach the initial 
vector is called the cycle of an LFSR. We note that the LFSR on Table 2.7 has a cycle of 


2+ — | = 15, which is the maximum cycle possible. 





Figure 2.1: LFSR of 7; = 41 @ v4 


We can integrate a nonlinear filter or an n variable Boolean function with good 
cryptographic properties to generate secure key streams. 

One way to construct a PRBG is to combine LFSRs and cryptographic Boolean 
functions. We consider two applications of cryptographic Boolean functions in stream 
ciphers: a nonlinear filter and a nonlinear combiner. In the nonlinear filter setup, an LFSR 


and a cryptographic Boolean function as a nonlinear filter can generate a secret-key stream. 
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X1 | LQ | L3 | L4 | Output | x, | vq | x3 | x4 | Output 
0;1,0) 1 L 0;0;0) 1 1 
1/0;140 1 1/;0j]01 0 1 
1) 1/0) 1 0 1/1;),0)]0 1 
0/1140 0 1/1;])14)0 1 
0;o0;1/)1 1 1; 1/141 0 
1)';0;0) 1 0 Oo}; 1)])1/)1 1 
0/;/1|)040 0 1;0;1)1 0 
0;/0}1 40 0 Oo}; 1;)0) 1 1 



































Table 2.7: Bit Stream Generated by LFSR of x; = x1 © x4 with Initial Vector 0101 


As the LFSR shifts through the states, the nonlinear filter processes n variables from each 


state and outputs a key bit. Table 2.2 illustrates this process. 


LFSR of Length n 


Nonlinear Boolean 
Function f(X) 





Keystream 


Figure 2.2: Nonlinear Filter 


Turing is a stream cipher developed for CDMA (Code Division Multiple Access), 
which is a wireless communication protocol developed by Qualcomm [12]. Turing gener- 
ates 160 bits of output in each round by applying a nonlinear filter to the internal state of 


an LFSR [13]. In the nonlinear combiner setup, an n variable Boolean function with good 
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cryptographic properties takes n output bits, each from n distinct LFSRs, and outputs a 
secret stream bit. Figure 2.3 illustrates a nonlinear combiner of n LFSRs. An example for 
this setup is A5/2, which is the stream cipher used to encrypt voice transmissions in the 


GSM cellular telephone network. A5/2 is based on four LFSRs and a nonlinear combiner. 


Nonlinear 
Boolean Function 
of n Variables Keystream 


JU 44%) 





Figure 2.3: Nonlinear Combiner 


2.2.3. Hash Functions 


Some secure communications protocols and asymmetric ciphers use hash functions 
to ensure authenticity, integrity, and nonrepudiation of a message. A hashing function can 
be integrated into a secure communication system to detect an unauthorized modification or 
tampering. Secure email systems can employ a digital-signature scheme that uses hashing 
functions to ensure the reliability of a message. Since a hashing function does not require a 
decryption or recovery of the original message, in a software-based implementation we can 
use a fast Boolean function with good cryptographic properties. Some candidates for this 
purpose are symmetric and rotation-symmetric Boolean functions, since we can evaluate 


them faster due to their simple structures. A Boolean function is symmetric if vectors with 
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x 0000 | 0001 | 0010 | 0011 | 0100 | 0101 | 0110 | O111 
f(x): Symmetric | 0 1 1 0 1 0 0 1 
g(x): RSBF 1 1 1 0 1 1 0 I 
x 1000 | 1001 | 1010 | 1011 | 1100 | 1101 | 1110 | 1111 
f(x): Symmetric 1 0 0 1 0 1 1 
g(x): RSBF i 0 i i 0 i I i 



































Table 2.8: Comparison of a Symmetric and Rotation-Symmetric Boolean Function 


the same Hamming weight have the same function value. A Boolean function is rotation 
symmetric if the function renders the same function value for an input vector and its rotation 
equivalents. 

Table 2.8 illustrates the symmetric and rotation-symmetric functions. The function 
f(x) is symmetric, since has the same function values for the vectors with each Hamming 
weight. The function g(x) is rotation symmetric, since each vector and its rotation equiva- 
lents have the same function values. We note that if a function is symmetric, then it is also 
rotation symmetric. However, the converse of the previous statement is not true, since a 
rotation equivalent of a vector with a Hamming weight k and a non-rotation equivalent of 
the vector with the same Hamming weight may have different function values in a rotation- 
symmetric function. We give a proper definition of rotation-symmetric Boolean functions 


and their properties in the next chapter. 
2.3. CRYPTOGRAPHIC CHARACTERISTICS OF BOOLEAN FUNCTIONS 


In [14], Shannon establishes two important principles in designing a cipher: confu- 
sion and diffusion. He introduces the principle of confusion to ensure that the relationship 
between the ciphertext and the encryption or decryption key is complex and complicated 
as possible, and the principle of diffusion to ensure the plaintexts are dissipated into the 
space of ciphertext. Most cryptographic characteristics discussed here are well studied and 
address Shannon’s confusion and diffusion principles in a cipher. We review some well- 


studied characteristics and outline significance of the corresponding property. 


pi) 


2.3.1. Balancedness 


A Boolean function f € B,, is balanced if the truth table of f has 2”~' zeros and 
2-1 ones. We observe that if f is balanced wt(f) = 2”~'. A balanced Boolean function 
counters statistics-based attacks and correlation attacks. We can measure how close the 


Boolean function is to a balanced one by the following measure. 


Definition 2.3.1. [15] The imbalance of Boolean function J; is defined as follows 


Tes) (50): 


xeFS 


The correlation between f(x) and the constant function f(x) = 0 or lis —1 < it <1. 
A balanced function f has zero correlation to a constant function, since [; = 0. The 
balancedness can be checked by the Walsh-Hadamard transform as shown in the lemma 


below. 
Lemma 2.3.2. A Boolean function f is balanced if and only if W;(0) = 0. 


2.3.2. Algebraic Degree 
jo" 

Consider a Boolean function in ANF, f(x) = @c;- x{'a>?---a°" as in Defi- 
ack 
j=l 


nition 2.1.11. The algebraic degree of f(x) is the largest number of variables in a term 
C;* xftas? +++ x2" with a; = c; = 1 withi = 1,2,...n. We denote the algebraic degree of 
f € B,, as deg(f). Using interpolation cryptanalysis [16] and high-order differential crypt- 
analysis [17], a cryptanalyst can carry out an effective attack on some ciphers employing 


low-degree Boolean functions. 


2.3.3. Nonlinearity 


The use of affine Boolean functions in a cipher is undesirable, due to the simple 
algebraic structure of affine functions. We want to use Boolean functions that are far away 


from an affine function, which gives us the following measure. 
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Definition 2.3.3. [4, p. 7] Let A,, be a set of all affine Boolean functions of n variables. The 
nonlinearity of a Boolean function, denoted by ni(f') is the minimum Hamming distance 


between f and any function in A,. 


Theorem 2.3.4. [4, p. 13] For f € By, 


ni(f) =2" 1 - pias |W(u)], 


ucFS 
The following upper limit for the nonlinearity is well known (see Seberry and Zhang 


[18]). 


Theorem 2.3.5. [18] For f € B,, 


nl(f) < gn = gn/2-1 


We observe that 2”/?-! in Theorem 2.3.5 is not an integer if n is odd. If n is even, 
we have a special family of functions, called bent functions, that achieve the nonlinearity 


bound. 


Definition 2.3.6. Let f € 6,, and n be even. Then f is a bent function if 
nl(f) < gn _ gn/2-1 


If n is odd with n = 2k + 1,k =0, 1, 2,..., the bent concatenation bound is defined as 


pea OF 


It is known that the algebraic degree of a bent function is bounded above by + [4, 
p. 80]. The r-order nonlinearity, denoted by nl,(f), is its distance from the set of all n 
variable functions of algebraic degrees at most r. A Boolean function needs to have higher 
r-order nonlinearity to resist a fast algebraic attack [19]. We can also devise a statistical 


measure using nonlinearity. 
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Definition 2.3.7. Given a Boolean function f, the bias of nonlinearity for f, denoted by 


e(f) is 





The fast correlation attack on f has an on-line complexity proportional to (+) ° [20]. 


2.3.4. Avalanche and Propagation Criteria 
2.3.4.1: Strict Avalanche Criterion (SAC) 


The strict avalanche criterion is one of the cryptographic characteristics that 
cover the diffusion principle. The main point is that when we change an element of the 
input vector, we want the effect of the change equally distributed throughout the truth 
table. This idea was first introduced by Webster and Tavares in [21]. Given f(x) € B, 


and an input x = (2,%,...,%n), if we select an x, in x with 1 < k < n, then we 











can envision the domain F) as two equivalence classes, A = {(21,...,%n)|v_~ = O} and 





B = {(2,...,2%n)|v~ = 1}. We note that there are 2”~1 unique pairs (x, y) with x € A 
and y € B such that 7; = y; with? = 1,2,...n except for when i = k. Without loss of 
generality, assume x; = 0. As x, changes from 0 to 1, some pairs have the same function 
values (are not affected by the change), and the others have their function values changed 
from 0 to 1 or 1 to 0. The Boolean function f satisfies the SAC, if exactly half of the pairs 


change their function values for all k. 


Example 2.3.8. [4, p. 25] In Table 2.9, if we fix x2 = 0, we have f(000) = 1, f(001) = 1, 
f(100) = 0, and f(101) = 1. When x2 becomes 1, we have f(010) = 1, f(011) = 0, 
f(110) = 1, and f(111) = 1. We observe that as x2 changes from 0 to 1, f(0x20) and 
f (1221) do not change, but f(0x21) and f(1a220) change. We can check x, and x2 in a 


similar manner and observe the same result. Therefore, f satisfies the SAC. 


The next lemma is a well-known equivalent statement to the definition of 


the SAC. 
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x | 000 | 001 | 010 | O11 | 100) 101 | 110] 111 
fx)] 1] 1[1]0]0]1q]i1/71 









































Table 2.9: A 3-variable Function Which Satisfies the SAC 


Lemma 2.3.9. [21] A Boolean function f satisfies the SAC if and only if C;(w) = 0 for all 


wt(w) = 1 where w = (wi, W2,...,Wn)and1 <i<n. 


Using Lemma 2.3.9, we can develop a computational tool to verify if a 


Boolean function satisfies the SAC. 


2.3.4.2. Propagation Criteria 
The concept of the propagation criterion generalizes the SAC. Preneel et al. 


[22] first introduced this idea. 


Definition 2.3.10. [4, p. 38] A Boolean function f satisfies the propagation criterion of 
degree k or PC'(k) if changing the value of any i elements of the input vector with 1 <i < 


k; < n changes exactly the half of the function values of the affected vectors. 
We can extend Lemma 2.3.9 to cover the PC'(k:) functions. 


Lemma 2.3.11. A Boolean function f satisfies PC(k) if and only if C;(w) = 0 for all 


wt(w) = m where w = (Ww), We,...,Wn) and1<m<k. 


2.3.5. Global Avalanche Criterion (GAC) 


In [9], Zhang and Zheng first introduced the concept of GAC. They noted that the 
functions with SAC provide some level of security, but the SAC is only “local” and does 
not cover all possible linear structures in a Boolean function. PC'(k) on the other hand 
covers all possibilities. It seems that a large k implies better security. However, when k 
is even and k = n, the function is a bent function. Despite the highest nonlinearity, a 
bent function is not balanced. To address these issues, they introduced GAC, in which we 
measure the avalanche effects throughout all possible n-variable Boolean vectors using the 


two measures below. 
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Definition 2.3.12. [9] Given a Boolean function f(x), the sum-of-squares indicator for the 


avalanche characteristic of f(x) is 


f= D) CHa), 


acFs 


and the absolute indicator for the characteristic is 








Ay = max 
acFs 


C;(@) 


2 


where C;(a) =>. (—1)f ef (xea) 


xeFS 
Some cryptographic properties conflict with one another. In this case we see three 
conflicting properties, namely balance, nonlinearity, and propagation criteria. The GAC 


provides us with two general measures that we can minimize. 


2.3.6. Correlation Immunity and Resilience 


Given some Boolean function values f(x), an attacker may guess the relationship 
between the elements of input, x; of x = (x1, 72,...%,) and f(x). Therefore, we want to 
engineer a principle into our function to deal with this kind of situation. Siegenthaler [23] 


first conceived the notion of correlation immunity to address this issue. 


Definition 2.3.13. [4, p. 49] Let 71, 0.9,...%-; Of KX = (1, 2,...Xn) be any 7 variables 
with 7 < & of input x. A Boolean function f(x) € &, has correlation immunity of order 
k, denoted by CI(k), if given f(x), the probability of 7.1, 7.2,...2-; being certain value 
is 2~’. In other words, f(x) is statistically independent with respect to any subset of k 
variables. In particular, f(x) is called a resilient function of order k if it is CI(k) and 


balanced. 


Example 2.3.14. The Boolean function in the Table 2.10 has CJ(1). For example, if 


f(x) = 0 and x; = x1, we can compute the conditional probability with x; = 0, 
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Pr(x, = 0|f(x) =0) = 


the conditional probability with x; = 1, 


Pr(a = I|f(x) =0) = 





The same procedures can check for x; = x2, x3 to conclude that the function has 


CI(1). However, we observe that 


28 


Pai —1Mte=— Tix) 0) 
Pr(f(x) = 0) 





1/8 
6/8 


x 


Ape 


Therefore, f(x) does not have CI(2). 
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Table 2.10: A three-variable function with CI(1) 


There is an efficient way to verify C'I using the Walsh-Hadamard transform. 


Lemma 2.3.15. [4, p. 50] Let f € B,. CI(f) =k with1 < k <n ifand only if 


Ww) = > (-1f@ew™ = 0 


xeFS 


for all w where 1 < wt(w) <k. 


Oe ih Algebraic Immunity 

For decades, linearization and some of its variations have been used to attack a 
stream cipher employing a Boolean function. They typically use Gaussian elimination as a 
core algorithm. By choosing a Boolean function with a high degree, we can substantially 
increase the computing resources needed to carry out an attack, which renders linearization 


useless as a practical technique to solve a stream cipher. However, a new class of attack 
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was introduced in 2003. It was shown that if a stream cipher employs a Boolean function 
f or f @ 1 with a low-degree function such that fg = 0 or (f @ 1)g = 0, the cipher can be 
methodically solved by the algebraic attack discussed in [24] and [25]. 


Definition 2.3.16. For any f € 5, a nonzero function g € B,, is called an annihilator of 
f if fg = 0, and the algebraic immunity of f, denoted by AI(f), is the minimum value of 
d such that f or f 6 1 admits an annihilator of degree d [26]. 


The following two cases are algebraic attack possibilities [24]. 


Case 1: Assume that there exists a function g of low algebraic degree such that 
fg = h, where h is a nontrivial function with low algebraic degree. 

Case 2: Assume that there exists a function g of low algebraic degree such that 
fg = 0. In 2003, Courtois and Meier showed that the algebraic immunity of an n variable 


Boolean function is bounded above by [5]. 


Remark 2.3.17. [27] While algebraic immunity is an important cryptographic property, it 
is not enough to resist fast algebraic attacks, a more efficient form of algebraic attacks. If 
we can find g of low degree and h of algebraic degree not much larger than n/2, such that 


fg =h, then f is susceptible to fast algebraic attacks [24], [28]. 


2.3.8. Normality 


The normality was first discussed by Dobbertin while examining bent functions 
in [29]. Since the number of variables in a bent function is even, the initial focus was 
on the even variable functions, which are invariant with respect to the vectors in a flat. 
Dobbertin called a Boolean function of even variables “normal” if it is invariant on a flat of 
the dimension — Later this concept was generalized for odd variable functions invariant in 
a flat of dimension SI . Dobbertin conjectured that all bent functions are normal. However, 
some non-normal bent functions were discovered by Canteaut el al. [30], and the notion 
of normality became an independent measure for general Boolean functions. Later, it was 
shown that there are very few normal functions, and the definition below was established 


by Carlet [31]. 


30 


Definition 2.3.18. A Boolean function f € B,, is called k-normal if there exist a k dimen- 


sional flat G such that f is constant. We denote such condition as f |g= 0 or 1. Ifk = SI : 


f is simply called a normal function. 
General information on the normality can be found in [32]. 


2.4. TRADEOFFS BETWEEN CRYPTOGRAPHIC PROPERTIES 


Unfortunately, composing or finding good cryptographic Boolean functions has a 
few obstacles, since there are some cryptographic properties that we cannot optimize si- 
multaneously. We present common dilemmas among cryptographic properties with the 


relevant theorems. 


2.4.1. Correlation Immunity and Degree 


In 1984, Siegenthaler [23] showed that there is a necessary tradeoff between achiev- 


ing high-degree and high-correlation immunity. 


Theorem 2.4.1. [23, Theorem 1] Jf a Boolean function f is CI(k), then the degree of f is 
at most n — k. If f is Cl(k) with k < n — 1 and balanced, then the degree of f is at most 
n—-k-—-1. 


2.4.2. Correlation Immunity and Nonlinearity 


Theorem 2.4.2 illustrates the tradeoff between correlation immunity and nonlinear- 


ity of Boolean functions. 


Theorem 2.4.2. [33] [fa Boolean function f is Cl(k) with k <n — 2, 


nl(f) a gn-l _ k+l 
We can combine Theorems 2.4.1 and 2.4.2 and obtain the following theorems. 


Theorem 2.4.3. [4, p. 71] Jf f is balanced and Cl(k) with k < n — 2, then equality is 


possible in Theorem 2.4.2 only if f has its maximum possible degree n — k — 1. 
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If deg(f) <n—k-—1, then 


nl(f) a gn-1 =A okt2. 


The following theorem by Carlet improves Theorem 2.4.3 to incorporate the degree 


of the function in the upperbound [4, p. 72]. 


Theorem 2.4.4. [34] Jf a balanced Boolean function f with degree d is Cl(k) with k < 


n — 2, then 





nl(f) <Q” 1 — gkt+1+[(n k 2)/d}_ 


2.4.3. Algebraic Immunity and Nonlinearity 


The following theorem describes the limit (commonly called “Lobanov’s bound”). 
The theorem implies that we can increase the algebraic immunity of a function along with 
the nonlinearity, but at the expense of decreasing the correlation immunity due to Theorem 


Dito as 


Theorem 2.4.5. [35] Jf f € B,, has algebraic immunity k, 
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3. AFFINE EQUIVALENCE OF MONOMIAL 
ROTATION-SYMMETRIC BOOLEAN FUNCTIONS 


3.1. INTRODUCTION 


In this chapter, we study the affine equivalence of monomial rotation-symmetric 
(MRS) Boolean functions. A general affine equivalence problem for Boolean functions is 
a complete partitioning of the n-variable Boolean function space based on an affine equiv- 


alence relation. A greedy algorithm for affine equivalence verification requires checking 











all elements of GL,,(F2), and has computational complexity O(2”’). This implies that 





ifn > 7, the problem becomes quite a challenge for current computing platforms. The 
first notable effort to solve an affine equivalence problem is found in [36], published in 
1964. Berlekamp and Welch [37] in 1972 found all equivalence classes for all five vari- 
able Boolean functions. In 1991, Maiorana [38] computed 150,357 equivalence classes 
of six variable Boolean functions. Due to its complexity and size, affine equivalence still 
remains a tough problem to deal with, especially for a general solution, which addresses 
any n € N. Besides the pure mathematical perspective, an affine equivalence can be ap- 
plied to cryptanalysis and cryptographic engineering. For example, differential and linear 
cryptanalyses are two major techniques to solve the S-boxes of block ciphers. If an S- 
box is vulnerable to differential or linear cryptanalysis, so are the S-boxes realizing affine 
equivalence functions. This fact simplifies the tasks of cryptanalysts, since they just need 
to choose and analyze an (easy) representative of an equivalence class. On the other hand, 
the cryptographic engineers may take advantage of affine equivalent S-boxes of a S-box 
that is strongly resistant to these attacks, since affine transformations have small delays and 
preserve much of the cryptographic properties of the original function. 

A rotation-symmetric Boolean function (RSBF) is invariant under the rotation or 
circular shift of a input. For example, if f € 63 is rotation symmetric, then f(001) = 


f(010) = f(100), f(011) = f(101) = f(110), and so on. Since an RSBF uses re- 
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Table 3.1: Affine Equivalence Classes in B,, 


peated function values, it is relatively fast. However, despite being seemingly simple func- 
tions to evaluate, the class of RSBFs contain many functions richly endowed with good 
cryptographic properties. For example, the famous Patterson—Wiedemann function in 6,5 
[39] that achieves nonlinearity 16276, which is strictly greater than the bent concatenation 
bound, 2!5-! — 205-1)/? — 16256 is rotation symmetric [4, p. 112]. Moreover, Kavut et 
al. [40], [41], [42] proved that there exist rotation-symmetric functions of nine variables 
with the nonlinearity 241 and 242, which is also strictly greater than the bent concatenation 
bound 29-1! — 20°-))/2 — 240 [4, p. 112]. Due to their speed and the prospect of being 
good cryptographic Boolean functions, RSBFs have received a lot of attention from cryp- 
tographic researchers. In [43], Filiol and Fontaine initially studied cryptographic properties 
of RSBFs (they used the term, “idempotent” function instead of RSBF), mainly focusing 
on nonlinearity [4, p. 112]. Later, the nonlinearity and correlation immunity of RSBFs 
were studied thoroughly in [44], [45], [46], [47], and [48]. The RSBF’s speed and poten- 
tial to have good cryptographic properties make them suitable for such an application as 
hashing algorithms. Pieprzyk and Qu studied the use of RSBFs in a hashing algorithm in 
[3]. We note the papers [49] and [50] dealing with algebraic immunity of RSBF. The class 
of RSBFs are interesting to apply the notion of affine equivalence into, as the function 
space is much smaller (~ os) than the total space of Boolean functions (2?"), and the 
set contains functions with very good cryptographic properties. It has been experimentally 
demonstrated that there are RSBFs that are simultaneously good in terms of balancedness, 


nonlinearity, correlation immunity, algebraic degree, and algebraic immunity. 
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There has been consistent effort to investigate the affine equivalence of RSBFs. 
Some recent efforts include [51], [52], [53], [54], and [55]. In this chapter, we focus on a 
type of affine equivalence named “S-equivalence” applied to monomial rotation-symmetric 


(MRS) functions. The material in this chapter is based on Chung and Stanica [56]. 


3.2. AFFINE EQUIVALENCE OF BOOLEAN FUNCTIONS 


Definition 3.2.1. We say that f, g € 6, are affine equivalent if there exists ann x n 






































invertible matrix A over the finite field F2, the vectors b,c € F and d € Fy such that 


g(x) = f(xA@®b) @c-x Gd. 
Some researchers prefer a simplified version of equivalence where c = O and d = 0. 


Definition 3.2.2. [55] We say that two Boolean functions f(x) and g(x) in B,, are equiva- 


lent under an affine transformation if g(x) = f(xA@b), where A is ann x n nonsingular 




















matrix over the finite field F2 and b is an n-dimensional vector over F,. We say f(xA @b) 








is a nonsingular affine transformation of f (x). 








In this thesis, we focus on a type of affine equivalence where b = 0, c = 0, d = 0, 
and A is permutation matrix. We will define this notion called “S-equivalence” in a later 


section. 


Example 3.2.3. Consider the following five variable Boolean functions, 
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fo = 21% 0 x304x5 





fi = U1@_ @ L3%4X5 OLX O23 
fo = ©1%_ OB @3%4X5, WO Lo OL3 071501 
fs = %3%4@O21X2%5 OIL O73 01 


fa = (x4 SP) 1)x3 SP) L1X2(X5 SP) 1) Br, O%3 G0 1 


= P3049) Dively OS Vite O71 GS 1 


We see that f; = f @c-x, where c = (1,0,1,0,0). fo = f O@c-x Gd, where 
c = (0,1,1,0,1) andd=1. fs = f(xA) 0c-x Od, where 


Oia 0 Hao @ le 
OO 1. 0: 0 
A=/]0100 0 |, 
1.0 0.00 
000 1 0 


c = (1,0,1,0,0), andd =1. fy = f(xA®b) Pc-x Gd, where A, c, and d are same as 
fs with b = (1,0, 0, 1,0). 


Essentially, a permutation transformation rearranges the order of input, which pre- 


serves the Hamming weight of the truth table. Clearly, if f and g are equivalent under 
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affine transformation, then wt(f) = wt(g) and nl(f) = nl(g). However, the sufficiency 


only holds for quadratic Boolean functions. 


Theorem 3.2.4. [56] Two quadratic functions f and g in B,, are equivalent under affine 


transformation if and only if wt(f) = wt(g) and nl(f) = nl(q). 


Unfortunately, the result cannot be extended to higher degrees. In S-equivalence, 


we obtain a similar result for degrees > 2. If two functions f and g in B,, are S-equivalent, 


then wt(f) = wt(g) and nl(f) = nl(g). The converse of the statement does not hold. We 


can still use the result to show non-equivalence in many cases. 


Suds ROTATION-SYMMETRIC BOOLEAN FUNCTIONS 


Definition 3.3.1. Let 7; € 




















Fo forl <i <n. For 1 < k <n, we define the permutation OF 





on (£1, %2,...,%p) € F¥ such that 





pk (x1, T2,+++5Un-1; In)) = (pk (x1), pk (x2), mae Ph Ga) Pe had); 


where 


and 


pk (x;) =Ziipifitk<n 


p® (23) = Lisg_nifitk > n. 


Hence, p* acts as k-cyclic rotation on an n-bit vector. 


Based on the permutation in Definition 3.3.1, we define the RSBF. 


Sf 


Definition 3.3.2. A Boolean function f is called rotation symmetric if, for each vector 





(is2c3 98%) ae, 











fe (Biigaths gn) ae ee for 1 < k<n. 


Definition 3.3.2 implies that the rotation-symmetric Boolean functions (RSBFs) 
are invariant under a cyclic rotation of input vectors. Clearly, the input vectors in a rotation 
class are in a equivalence relation. Therefore, the inputs of a rotation-symmetric Boolean 
function can be divided into partitions so that each partition consists of all cyclic shifts of 
one input. A partition is generated by say G,(11,12,...,%n) = {p*(x1,22,---,2n)|1 < 
k < n}, and we denote the number of such partitions g,. By the product rule of combi- 
natorics, the number of n-variable RSBFs is 29”. Let ¢(k) be Euler’s phi-function. Then, 


from Burnside’s lemma [48], 


k|n 
Let gn, denote the number of partitions with w, the common weight of the vectors in par- 
tition. The papers [45], [47], and [48] address the formula on how to calculate g,,.. for 
arbitrary n and w. It is also noteworthy that Zhang and Deng [57] corrected the enumera- 
tion of Gi, (71, %2,...,%n) such that |G,,(21, 72,...,%p)| = n in [48] and generalized the 


enumeration for |G,(21, %2,...,2n)| = 7 where r|n. 


Definition 3.3.3. Let 
Grlaiy~.+5%n) = {pk (21; -.+;%n), for <k <n}, 


be the orbit of (x1, ..., 2) under the action of p*, 1 < k < n. Itis clear that G,(x1,...,2n) 











generates a partition in the set F}. A rotation-symmetric function f(21,...,2,) can be 
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written (for short) as 
ag Gayr, O S- Aj XX 5 B:++ OP ay49..nU1LQ... Ly, (SANF), 


where the coefficients ag, a1, @1;,-.-,@12..n € {0, 1}, and the existence of a representative 
term 71%; ...2;, implies the existence of all the terms from G',(712;, ...;,) in the ANF. 


We call this representation of f the short algebraic normal form (SANF) of f. 


Remark 3.3.4. We note that the SANF is not unique, since one can choose any represen- 


tative in G,(@12j, ... %i,). 


Example 3.3.5. 5-variable RSBFs f and g are shown in ANF and SANF below. 


Es 
i 
T 
Ay 
D 
cs 
= 
2 





g(x) = L1 OB X122t5(SANF) 





= 4, 8%. 0%, 8L4OL5 OLX LoX5 O-- + PL5X1L4 


If the SANF of a RSBF contains only one term, we call such a function a monomial 
rotation-symmetric (MRS) function. A simple number theoretic deduction gives us that the 
ANF of a monomial rotation-symmetric function contains a divisor of m number of terms. 
If that divisor is in fact n, we call the function a full-cycle MRS, otherwise, a short-cycle 


MRS. 
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Example 3.3.6. 6-variable RSBF f(x) = %1%2(S ANF) is a full-cycle MRS function, and 
g(x) = x1x"4(SANF) are short-cycle MRS function, as shown below. 





g(x) = £104 OP Los O U3X6 
3.4. CIRCULANT MATRICES 


One of the interesting matrices in linear algebra is a Toeplitz matrix. Ann x n 


Toeplitz matrix A = {a;;} has a form 


ay a2 a3 wee eee An 





ag a3 


An+1 ay a2 





Gioia te) Rt es a 
Toeplitz matrices have various engineering applications and have been widely studied. A 
circulant matrix is a special type of Toeplitz matrix where az = d2n_1, 3 = G2n-2, ... , and 
Gn = An41. We apply the principles found in the structure of a circulant matrix extensively 


in our new findings. To be precise, we use the following definition for a circulant matrix. 


Definition 3.4.1. An n x n matrix C is circulant, denoted by C(c1, c2,..., Cn), if all its 


rows are successive circular permutations of the first row, that is, 
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C1 C2 C3 eee eee Cn 


Cn Cy C2 


Cn-1 Cn 
CS : 
C2 «(C83 
Cn Cy C2 
C2 eee eee Cn-1 Cn Cy 

















where c; € F for F is a field, andi € {1,2,...,n}. 





We denote the set of all circulant matrices as C and the set of all n x n circulant 
matrices as C,,. 


We define the generating polynomial F of a circulant matrix C'(c1,..., Cn) by 


F(x) =e, + a@z+-+>+e_2" 1. 

It is clear that the circulant matrices are closed under matrix addition. That is, for 
any two circulant matrices A and B, A+B is circulant as well. Additionally, A+B = B+A 
and the associative property holds. Therefore, C,, forms an abelian group. We proceed to 
prove another interesting fact about circulant matrices. We also observe that the transpose 


of a circulant matrix C = C(c1,¢2,...,Cn), denoted by C7, is C(€1, Cn, Cn—1,-- +5 C2) 


Proposition 3.4.2. [56] An n x n matrix C = {cj} is circulant if and only if ci; = Cu 


whenever j —i = u—v (mod n). 


There exists a way to express a circulant matrix as a linear combination of a basis 


of matrices. Let G be the n x n binary circulant matrix G = C(0,1,0,...,0), which is 


4] 


O50: scl 0 0 
G= 
iL. 40) 
0 -Q. * QO 1 
1 0 O 0 0 


The following lemma shows that the power of G, G?, where 1 < j < n, forma 


basis for the commutative algebra C,,. 


Lemma 3.4.3. [58, p. 68] Let A € C,, and A = C(a1, d2,...,@n). Then 


A= ae = Ss" Gs 
i=1 


ic A(A) 
where A(A) = {i|a; = 1} C {1,2,...,n}. 


It is well-known that the circulant matrices in C commute in multiplication [58, p. 











68]. Since some matrix properties in C may not hold in F2, we verify the commutativity. 





Lemma 3.4.4. [56] Let A = C(aj,a2,...,d,) and B = C(by, bo,..., bn) be two elements 











of C,, with a;, b; € Fo for 1 <i, 7 <n. Then, 
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AB = BA 


n n n 
= C ) aib;, ) CD, tase 5 ) aid; 
ij=l i,j=l i,j=l 
i+j=2 (mod n) i+j=3 (mod n) i+j=1 (mod n) 
= C ) aib;, ) nae pang. § ) ab; 
iE A(A),jEA(B) iE A(A),jEA(B) i€A(A),jEA(B) 
i+j=2 (mod n) i+j=3 (mod n) i+j=1 (mod n) 
where A(A) = {i| a; = 1} C {1,2,...,} (ordered tuple). 
Proof. Let 
a ag a3 0 77" ttt An by by bs 
Qn GQ a2 bn by bg 
Gn-1 Gn an “es oR | Dy 
A= ,andB= 
a2 a3 
An a a2 bn 
ag ares eee An—-1 An at bo By 
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bs 
by 














n n 
ij=1 ab; ij=l ajb; 
i+j=2 (mod n) i+j=3 (mod n) 
n 
i,j=l ax; 
i+j=1 (mod n) 
n 
ij=l a,b; 
AB = i+j=n (mod n) 
n n 
ij=l aid; ij=l axb; 
i+j=3 (mod n) i+j=4 (mod n) 
n n 
an 6 ) ajb;, ) Oi Dis sass 
igj= i,j=l 
i+j=2 (mod n) i+j=3 (mod n) 
Since a;, b; € Fo, 
sae Gs ) bia;, ) bia;, SF 
iE A(A),jEA(B) iE A(A),jEA(B) 
i+j=2 (mod n) i+j=3 (mod n) 
= BA, 


Therefore, the claim holds. 


i+j=n 


a b 
ij=l a4,05 
i+j=1 (mod n) 


n 
ij=l ab; 
i+j=2 (mod n) 


n n 


aby 


ij=1 ij=1 
(mod n) i+j=1 (mod n) 


axb, 


bia; 


SD 


i€A(A),j€A(B) 
i+j=1 


(mod n) 














Clearly, C,, has the associative property with respect to matrix multiplication. There- 


fore, C,, forms a commutative monoid. Since C,, is an abelian group, C,, forms a commu- 


tative algebra. We recall A € C,, implies that A? € C,. Then, we have AA = AA? by 


Theorem 3.4.4. Therefore, C,, is normal. 














Corollary 3.4.5. [56] Let A = C'(a1, a2,...,@,) be a circulant matrix over F. Then 


n n n n 
2 
A = ¢ OB Aia;, OB QiAj,.-+, SB aia;, ZB aja; 
i, j=l i, j=l i, j=l i=l 
i+j=2 (mod n) i+j=3 (mod n) i+j=n (mod n) i+j=1 (mod n) 
Cla, A[n/2]41; 42, @[n/2]4+2,--- , An/2]) ifn is odd. 
Cay + Anj241, 0,2 + Gn/241,0,...,0) ifn is even. 
Proof. Let 
Ar = (Gis Gis, oo fay) 
ay a2 43 An 
Qn G1 42 
An—-1 On 
ag a3 
Qn G1 a2 
ag eee eee An-1 An ay 
By Lemma 3.4.4, we have 
n n n n 
2 
AraC. 6B a;Q;, B AjAj,..-+,; ZB ajQ;, ae) aja; 
i,j=l i,j=l i, j=l i,j=l 
i+j=2 (mod n) i+j=3 (mod n) i+j=n (mod n) i+j=1 (mod n) 


Ifn = 2k +1 fork =0,1,2,..., 
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Therefore, 


A2 


A141 B A2A2x~41 B 


2 
ay D 2d2n4102 OB: 





77+ D Gp1AR+2 OD ApzoAen1 D+ ++ D AK4102 


-» @ 2apaps3 BD 2az41Ap+2 = ay 


2: 
a ,a2 ey aga, a A3QA2k+1 OB: @ An+2 OP: @ Q2k4143 


2 
Ap49 @ 241 a2 <p) oe 


-@ 2azd2n41 = Ap+2 


A103 DB AgA2 © A341 OD Ag4don41 B+ B Aop4144 


2 —, 
Ay © 2a301 @ «+: B 2A2K41G4 = Ag 


2 
Q1A2k4+1 B A2d2k B-++ Papi, G++ D Arne O A2K4101 





2 = 
Api, B 241 d2K41 B+ ++ B 2aq~A2 = Ag41. 


C (a1, Ak+2, 42, Ak+3, 43,.. 


Cla, A[n/2]4+1) 42, 4[n/2]+2)-- 


», Qk, 22k+1,; AK+1) 


"9 An /2))- 
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Ih 2h for 10; 122, ccs 


n 


6B Aja; = A1A1 D A2A2% D-+- D AkAk+2 O Ak41Ak41 DB Ak+2dn B+ DB A2KA2 





i=1 
i+j=2 (mod n) 
Pt co 
= a, OB Ag,, BD 2agda, B+ ++ GB 2azanye = a1 GB Ags 


n 


OB AA; = A142 DY Aga, D Aza2% DY AsG2n-1 D+ ++ D A214 DY A2KQz 


i=1 
i+j=3 (mod n) 
= 201A QB:---@® 2097.03 = (0) 


n 


OB Aid; = A143 D A2A2 D Aza1 D Aadag D- +> D Apza D+ ++ DY A2KnA4 





i=l 
i+j=4 (mod n) 


= G50 Apie @ 2azay O +++ B 2agpa4 = Ay D Ago 
2 


n 


OB Aja; = AyAg~ BD A2A2, B+ ++ DB A2~A2 GO A2~,Q1 


Vi 


i+j=1 (mod n) 
2a1G2x © ++: PB 2ag~A2q = 0. 


Therefore, 
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2 
AX = C (a, + a441,0, d2 © Ap42,0, a3 B p43, . ++, AnA2%, 0) 


= Cia An /241,9, d2 B An/241,9,.-. ,0) 














Ann X n permutation matrix P, is ann Xx n matrix obtained by applying a permu- 
tation 0 € S;,, where S,, is the symmetric group of the order n to the rows (or columns) of 


the identity matrix J,,. 


Definition 3.4.6. We define a relation denoted by ~ on C,, as follows. Let Ay = C(a1,...,@n), 
A» = C(b, one guns Then, 


A, ~ Agif and only if (a1, ...,@,) = p*(b1,-..,0n). 


Due to reflexivity, symmetry, and transitivity of the relation, the relation ~ is an equiv- 
alence relation, which partitions C into equivalence classes. We denote the set of the 
equivalent classes as C/.. We further denote the equivalence class of C'(aj, a2,...,@n) 


by Cl Gi, da, 22.4@n) OF (C (01,095.54 Ay) 


Lemma 3.4.7. [56] Let M,, Mz € Cn, and let M,' and My" exist. Then, M, and Mp 
belong to the same equivalence class if and only if M,' and Mz" also belong to the same 


equivalence class. 


Proof. We just prove the necessity; the sufficiency proof is similar. Let M, =C(a1,d2,...,@n), 
Ms = C'(bj, be, tes “OA and M,' — Cay, Qe, boas On) and M;" = C(61, Bo. ae sifee Js It is 
sufficient to show that My* € C (ay, a2,..., Am). We know that 


(b1, be, te pte On) > p* (a, a2, sept , An) 
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for some k. Thus, 


Mz = PpM, 


for some permutation matrix P, = C(p*(1,0,...,0)). Therefore, by taking the inverse of 


the previous equation and Lemma 3.4.4, 


= Pee 














Therefore, //,' and M5" belong to the same equivalence class. 


To conclude this section, we show that the equivalence classes of Definition 3.4.6 


form a commutative monoid which contains a abelian group. 


Theorem 3.4.8. [56] The set (C/ ,-) with the operation (A) -(B) := (AB) is a commuta- 
tive monoid. Moreover, the previous operation partitions the invertible circulant matrices 


C into equivalent classes, say C* /., and consequently, (C*/~ ,-) becomes a group. 


Proof. First, we show that the operation is well defined. Let A = C(a,...,@n) ~ A’ = 
C(ai,...,a,), B = Clbi,...,bn) ~ B’ = C(bi,...,U,,). We need to show that AB ~ 


iad 0) 


A'B'. By Lemma 3.4.4, 


n n n 
AB=C ) axb;, ) axb;, Riya ) ab; 
i,j=l i,j=l j=l 
i+j=2 (mod n) i+j=3 (mod n) i+j=1 (mod n) 
n n n 
ipl iy iy ‘yt 
A SC y a;b;, y OD ages y a,b; 
i,j=l ij=l j=l 
i+j=2 (mod n) i+j=3 (mod n) i+j=1 (mod n) 
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Let & and s be such that 


p* (ai, tee On) = (a1+4k (mod n);+++;4n+k (mod #)) 


and 


p°(bi, rr) bn) = (bi45 (mod n)>-:- Dai (mod n)) 


’ ’ 
= ( aoe b,,)- 
Then, we have 
n n 
ipl ‘ » 
AB =@C Qitk (mod mFS (mod n)>++ +5 Qitk (mod mts (mod n) 
i,j= i,j=1 
i+j=2 (mod n) i+j=1 (mod n) 
n n n 
= C ) axb;, ) axb;, Sandy ) a,b; 
i,j=1 i,j=l ij=l 
i+jt+tk+s=2 (mod n) i+jt+k+s=3 (mod n) i+jt+k+s=1 (mod n) 
n n n 
a k+s 
SG pP ) axb;, ) axb;, oe ) a,b; 
i,j= i,j=1 i,j=1 
i+j=2 (mod n) i+j=3 (mod n) i+j=1 (mod n) 
Therefore, we have 
AB ~ A'B’. 
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It is immediate that the defined operation is associative, and the identity element is 
C(1,0,...,0)=(n), the class of the identity matrix. The commutative property follows 
from Lemma 3.4.4. By Lemma 3.4.7, we can let (M)~' be the equivalence class of all 


inverses of circulant matrices from (7). We have 


(M)-(M)" = (M)-(M~") 














and the lemma is proved. 
So: S-EQUIVALENCE OF MRS BOOLEAN FUNCTIONS 


Definition 3.5.1. Let f, g € 6,,be MRS functions. f and g are S-equivalent, denoted by 


f ~ @ if there exists a permutation matrix P such that 


g(x) = f(xP). 


Example 3.5.2. [56] Let n = 7, and the quartic MRS functions 


f(x) = 218 9%3r4 @ LoL3L4L5 OD L3LsL5L6 DO LaL5LEL7 
DPU5Lo6L7L, DP LoU7X1Xq DB L7X1X9V3, 
G(X) = 1 L2v4X6 O Lol3l5L7 O L3LaTeL1 DO CsL5L7X2 


DPL5LEL1L3 DB LeL7X 9X4 PB 7X1 V3X5 
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Using the permutation 7 = (2,3,5)(4,7,6) expressed in product of disjoint cycles, we 


check that f om = g. 


We associate f to the following circulant matrix equivalence class 


re ee 
APSE IOs cts tases Oy Ty veg Oe T Mca) 


(3.1) 


where the 1’s appear in positions prompted by the indices of any monomial of ANF of /. 
We can illustrate A(f) = A(any representative of Ay). In general, for A; as in Equation 
(3.1), then A(f) = [1, go,.-., Ja] = [2, jo +1,.--,Ja +1] =---. Also, the length of A(A) 
is denoted by wt(A(A)), which is the weight of any row of Ar. 


Example 3.5.3. [56] If n = 5 and f(x) = 212204 0 Lo%3X5 0 130421 P L4X5 LQ OP 151143, 


then 


me 
K 
S 
Ke 
S 


KE CO fF oO 
Ee FE Oo 
Oo 
bi ol 


S 
rae 


A(f) = [1,2,4] = [2,3,5] = [1,3,4] = [2,4,5] = [1,3,5]. 


Lemma 3.5.4. [56] Let f be an MRS Boolean function, and F;, i = 1,2, be the gener- 
ating polynomials for the circulant matrices M, = Ca, d2,...,@n), respectively, Mz = 
C(bi,..., bn) in Ay, where (b1,...,0n) = p*(a1,..., Qn), for some k. Then, gcd(F,(z), 2"— 
1) = gcd(Fo(z), 2” — 1). 
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Proof. Since (b;,b2,...,bn) = p*(a1,42,-..,Gn), for some k, we use an inductive argu- 
ment to prove the lemma. Let k = 1. Then, (bj, b,..., bn) = (Gn, 0,---,@n—2). Now, we 


need to show that 


gcd(Fi(z), 2” — 1) = ged(Fo(z), 2” — 1) 


for 
F(z) = a, + agz +--+ +an2"! 
and 
Fy(z) = Qn tz +--+ + Gy_2"". 
Certainly, 


2F\(z) — Fo(z) = a,(z” — 1). G2) 


Since multiplying z by F(z) does not change gced(F\(z), z” — 1), 


gcd(Fi(z),z"-1) = ged(zFi(z), 2” —1). 


By Equation 3.2 


gcd(Fi(z),z"-—1) = ged(an(z" — 1) + Fa(z), 2” — 1). 


By the Euclidean algorithm, 


gcd(Fi(z),z”-—1) = ged(Fy(z), 2” — 1). 
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For the inductive step, assume it is true for k = s. Then, we try to show for k = s + 1. Let, 


(by, bo,...,0n) = (Qn—s, On—st1,--+;@n—s—1). We need to show that 


gcd(F\(z), 2” — 1) = ged(Fyii(z), 2” — 1) 


for 
F,(z) =a, +92 +-++++4n2"" 
and 
Hae) = An—s + Qn—s+1% Sete Giieaa 
Let 
F(z) = An—s+1 ts An—s+2% see oe Ganges 
Then, 


2F(z) — F4i(z) = an_.(2” — 1). (3.3) 


Since multiplying z by F(z) does not change gcd(F(z), 2” — 1), 


gcd(F,(z),z” —1) = ged(zF;(z), 2" —1). 


By Equation 3.3 


gcd(F,(z),z"-—1) = ged(ap_.(z” — 1) + Foii(z), 2” — 1). 


By the Euclidean algorithm, 
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gcd(P(z),2”-—1) = ged(Fy4i(z), 2” — 1). 


By the induction hypothesis, we conclude that 


gcd(F\(z), 2” — 1) = ged(Fy41(z), 2” — 1), 











which proves the lemma. 





We introduce the concept of a generalized inverse. 


Definition 3.5.5. For a square matrix A, we call a matrix A* of the same dimension a 


generalized inverse if 


AA*‘A= A. 


We call a matrix At a reflexive generalized matrix if 


AA'A=A 


and 


A'\AAt = AT. 


In addition, if both AAT and AA are symmetric, then At is called a (Moore—Penrose) 


pseudoinverse of A. [59]. 


It is known that matrices over finite fields have at least one generalized inverse [60]. 
Also, if a pseudoinverse exists, it is unique [60]. However, it is not known if any of these 
generalized inverses of circulant matrices are circulant. Our next result deals with that 
problem, and, in the process, the first part generalizes the second, which was shown in [61, 


Theorem 2.2]. 
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Theorem 3.5.6. [56] Let A = C(ay,...,@,) be a circulant matrix over F 3 of the generating 














polynomial F = ay + agz +--+ + Gn12” € Folz]. Let gcd(F(z), 2” — 1) = D(z), 
z” —1 = H(z) - D(z), and assume that gcd(D(z), H(z)) = 1. Then, the following 





statements hold: 

() The polynomial F is invertible modulo H. That is, there exists F*(z) = 7", jz" 
with F(z)-F*(z) =1 (mod H(z)). Moreover, the circulant matrix A has a circulant gen- 
eralized inverse, precisely, A- A* - A = A, where A* = C(a,,...,Qn). Additionally, if 
gcd(F, 2" — 1) = gcd(F*, 2” — 1), then A* is in fact the reflexive generalized inverse A’. 

(iz) [61, Theorem 2.2] If gcd(F, 2” — 1) = 1, then the matrix A is invertible and its 


inverse is A~' = C(ay4,...,Qn), where (a1, 02, ..., Qn) is the unique solution of 
(Q1, M2,---,Qn) -A= Gu Serre 0) 


Moreover, if F*(z) = a, + Q22 +++ + Qn2z"—1, then F(z) - F*(z) = 1 mod (z” — 1). 


Proof. The claim (ii) follows from (i). To show (i), let n = 2'm with m odd, and t 


an arbitrary integer. By [62, p.63 Theorem 2.42 (ii)], every irreducible factor of z” — 1 











over F, appears at the power 2’. Let ®(z) be an arbitrary irreducible factor of H(z) = 
(z” — 1)/D(z). Since ged(D(z), H(z)) = 1, ged(F'(z), ®(z)) = 1. Therefore, the class 
of F(z) is invertible in the ring F2[z]/ (b*), This implies that there exists Fo(z)* with 
F(z) - Fs(z)* = 1 (mod ©*'). Using the fact that H(z) = I] ®* and applying 


® distinct 
the Chinese remainder theorem, we obtain that there exists F* with F(z)- F*(z) = 1 

















(mod H(z)). Moreover, F*(z) is unique modulo H(z). 

To show the second claim of (7), we assume that / - F* = 1 (mod H), where 
F(Z) = a i a;zI~1, and we will show that AA*A = A, where A* = C(aj,..., Qn). 
Let R be the quotient ring F2[z]/(H(z)). Since D divides F and H divides FF* — 1, 
then 2” — 1 = HD divides F(F'F* — 1) and so, we have the identity F?F* = F in 























F,[z]/(2” — 1). Multiplying out the polynomials F? and F* and reducing modulo z” — 1, 





56 


we obtain 


y Qj;ap + y AjAn | Z 


2i+k=3 (mod n) 2i+k=4 (mod n) 
n 
feet y ajo, | 21 = y az 
2i+k=2 (mod n) é=1 


from which we infer that 


C y aiAk, y A,Ak, 


2i+k=3 (mod n) 2i+k=4 (mod n) 


ae S- AiAk = Cais Gia bes Say): 


2i+k=2 (mod n) 


That is AA*A = A. 
Using gcd(F'(z), 2” — 1) = gced(F*(z), 2” — 1), by a similar argument as before, 


we get that A is also a generalized inverse for A*, that is, A*AA* = A*, which shows the 





last claim of (7). 











As for the pseudoinverse, we observe that the transpose of a circulant matrix A = 


C(a1, @2,...,@n) is Ab = C(ai,an,..., a2). Let 7 = (n+2—1) mod n, and k’ 
(1+2-—k) mod n. Then, we have 


AA* = C S- A,X, S- GjQk,---, S- A; 


i+k=2 (mod n) i+k=3 (mod n) i+k=1 (mod n) 
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and 


(AA*) = C Ss" Ay Ak’, AyAkl, 6, ys Ay AK 


i+k=2 (mod n) i+k=3 (mod n) i+k=1 (mod n) 
= C S Ay Ak’, Y AyAky ++, S Ayan |, 
i!+k’=2 (mod n) i/+k'=1 (mod n) i/+k'=3 (mod n) 


which does not necessarily imply that AA* = (AA*)'. 


Remark 3.5.7. [56] It may be tempting to conjecture that every circulant matrix has a 
generalized inverse that is circulant. However, during a computer exercise, we noticed that 
the circulant matrix C(1,0,0,1,0,0) does not have a circulant generalized inverse. We 
observe that C’(1,0,0,1,0,0) corresponds to F(z) = 1+ 2? withn = 6. Since z® — 1 = 
Big 


So, we have 


gcd(D, H) £1. 
Therefore, Theorem 3.5.6 does not apply, and F’ has no inverse modulo F’. 


We mention another way to detect singularity or nonsingularity of the associated 
circulant matrix to an MRS. In [46], Stanica et al. found a characterization of Boolean 


functions whose associated circulant matrices are singular. 


Proposition 3.5.8. [46] Let f be a degree d MRS with associated Ay = C (a1, Sa ig) 
(assume that a; = 1). Let A(Ay) = [1, 52,..., Sa]. Then, Ay is singular if and only if there 
is an n-th root of unity 4 such that 1 + ye? + +++ + ue4 = 0 (over Zo). 


Corollary 3.5.9. [46] With the notation of the previous proposition, we have 
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i) Ifwt(A(A,)) is even, then Af is singular. 
f di 
(ii) Let p be the least odd prime occurring in the factorization of n. Assume that 


A(Af) = [1, 52,..., Sa] has odd weight d and sq < p— 2. Then Ay is nonsingular. 


We define the dual function with respect to a degree d MRS function f with invert- 
ible Ay. We consider the ordered set A(A;") = |ji,j2,.--,Je| and define the MRS dual 
function f* by 

f Stpg a2, (SANE): 


Our next result gives an extension for the necessity part of Theorem 3.2.4. 


Theorem 3.5.10. [56] Let f and g be two MRS Boolean functions in n-variables. If A; 
and A, are invertible and f ~ g(f and g are affine equivalent by a permutation in S,,), 


then wt(A(f)) = wt(A(g)) and wt(A(f*)) = wt(A(g")). 


Proof. Since f ~ g, then there exists a permutation rT € S,, with Afor = Ag. Clearly, 
f and g have the same degrees. Therefore, wt(A(f)) = wt(A(g)). Let the SANF of f 
be 71 2;,---2;,with I = {1,jo,...,ja}. We set Ag = (C(a1,...,@,,)) such that a; = 1 
if i € I, and O otherwise. Using the same steps, we also let A;* = 4 CO (Oty sk) 


Ag = (C(b1,..-,bn)) , and AZ* = (C(61,..., Bn)). Then we have 
(C(di, sees bn)) = (C(an(a) A7(2); meer Gata) 5 


since A, = Ayo;, where 7 = T~'. We introduce the notations r;(A) and c;(A) for the 7-th 
row and the j-th column of a matrix A, respectively. Since the permutation 7 preserves 
the rotation symmetry, there exists a permutation matrix such that every row of PA, (not 
a circulant matrix any longer) is the permutation of the same indexed row of Ay. Then we 


have 


ri(PAg) = a(ri(Ap)). 
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By the hypothesis, there exists the inverse matrix 


Therefore, we have 


and 
Then, we can set 


ri(Af) a (a545 Qj2,--- 02s) 


Sa (ere Uae eae we 


which is the i-th shift of the first row of Ay. Let 0;; be the Kronecker delta function, that 


is, 0;,; = lifi = j, and 0; = 0 otherwise. Since 7 is a permutation, we can interpret the 


equation AsU = I, in the following way: 


Gi eajyUa() go drat tag — 0 Lg Sk (3.4) 
Let 
Un(1),1 Un(n),n 
Ur(1),1 Ur(n),n 
Un) = 
Ur(1),1 ee Ur(n),n 
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Then, we have 


where P,, is the permutation matrix for 7. Therefore, Equation (3.4) is simply r;(PA,)c;(U(z)) = 


0;,;- Therefore, 


PAU) = In 


and 


Ug PAg = In. 


(m 


Therefore, 


ry (UP) Ag =11(In). 
Due to the uniqueness of Theorem 3.5.6, 


ns (UgAP) = Pr. Br) 


Recall that multiplication by a permutation matrix to the right has the effect of rearranging 
the columns, and to the left has the effect of re-arranging the rows. Since U~' is also 


circulant, hence every row has the same weight, we obtain 


wt(B1,...,Bn) = wt (n(UG}P)) =a (n(UG3)) 
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Example 3.5.11. [56] Take n = 5, and f x g whose SANFs are 71%2%4, respectively, 
L1 X23 (and so, wt(A(f)) = wt(A(g))). Certainly, 


A; = C(1,1,0,1,0), As = OO T,1,0,0% 


Ap HOO 1 11,0). A SO, 1,01), 


and so, wt(A(f*)) = wt(A(g*)) (in fact, in this case the dual of f is f* = g). As an- 
other example, we take n = 8, f, g with SANFs 271 %224, respectively, 7;x4275 (and so, 


wt(A(f)) = wt(A(g))). We compute 


A; = C(1,1,0,1,0,0,0,0), A, = C(1,0,0,1, 1,0, 0,0) 


Ay — C10; 1070; 1,15 1); Ag = C(0,0, 1,0,0,1, 1,0), 


and so, wt(A(f*)) = 5 4 wt(A(g*)) = 3, therefore f % g. 


Remark 3.5.12. The conditions wt(A(f)) = wt(A(g)), wt(A(f*)) = wt(A(g*)) are not 
sufficient to ensure that the functions f,g are S-equivalent. As an example, take n = 8 
and f,g with A(f) = [1,2,3], A(g) = [1,2,4]. The two functions are not in the same 
S-equivalence class, yet wt(A(f)) = wt(A(g)) = 3 and wt(A(f*)) = wt(A(g*)) = 5, as 


one can check easily. 


For a degree d MRS, whose class A+ is not invertible, let the equivalence class of 
the circulant pseudoinverse matrix denoted by Al with A(A‘) = [)1,99,-<2) je]. Then the 


pseudo-dual Boolean function is 
fT = Dj Ljg + Ljy O Lj piVjogi Lip B+ O Lj -1Ljp—1 °° Lj_-1. 
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We propose the following question, which seems to be true, based on computer data. 

Open Problem. [56] Jf f ~ g with singular matrices A y and Ag, respectively 
with circulant pseudoinverses, is it true that wt(A(f)) = wt(A(g)) implies wt(A(f')) = 
wt(A(g!))? 


We now present some results obtained while pursuing the open problem. 


Theorem 3.5.13. [56] Let f and g be two n-variables MRS with f ~ g, and Af = 
Clas, ee ain): Ao = C(an(1), sa date) for some permutation 7. The matrices have 
pseudoinverses C (ay athe , Qn) and C (Ai, eae Be), respectively. Let T be the permutation 
7(1) = 1,7(2) = [n/2] +1,7(3) = 2,7(4) = [n/2] + 2,.... The following statements 
are true: 


(i) Let n be odd. Then 


(atdannitny, | = (Gil nee Geta) Circle) 
(is act), = (Ora jines etn) Clai24.40y) 
(an(1),-++,@m(n)) = (A(rory(1)+ +++ @nory(n)) C(t, -- +, Bn) 


(Ai, ee sea) = (Ba), Hei Beta) C (@r(1), ise Gain) : 
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(ii) Let n be even. Then 


(a1, as Qn) = (a-(1) D a(2), 0, a(3) QD Ar(4)s 0, -_ .) Clan, spn) or) 
(a4, ae Oe) = (a7(1) ®D A7(2); 0, Q7(3) DB A7(4), O; 4. .) C(ai, ue Gin) 
(Gn(ijsixgOntay) =° (Gg G) O Gireriay Oh) CCBiys 12 Bn) 


(Bigsewg Pn) = (8,<) DB Ba Oixce, Gait tae) : 


= “Uiecs OG Gi s.070s) Ce czane 


Let P, be the permutation matrix for 7. By Corollary 3.4.5, 


Q 
— 
i) 
i 
i=) 
3 
Nee 
i) 
I 


Cla, Afn/2]41) 42; @n/2]425-+ +5 An /2]) 
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Therefore, 


(eon Gt = (COs OC (ak de) CO ees ae) 


= (1, Oye: ,0)C(a,(1), oe ;Ar(n))C(Q1, sass ln) 


= Oras 25.) CO ( Oiagtas hp): 


The second part is immediate since C(a1,..., Qn) is a pseudoinverse of C(a1,..., 
ay), Which shows that it is also reflexive inverse. 


For the third part, let P, be the permutation matrix for 7. Then, using Corollary 


3.4.5, 
(@n(1); ) An(n)) = ae 0, ) OC (an(1), ) On(n)) 
2 
= le 0, Me ,O)C (an(1), ae testes) C(61, aa On) 
(@(nor)(1)» ++ +» @ror)(n)) C(B1,-- +5 Bn). 
The fourth part is immediate, since C((1,..., 8) is a reflexive inverse of C'(az(1), 
naa: 











(ii) We can show this using similar techniques used in (i) with Corollary 3.4.5. 





For an MRS function f, when Ay does not have a pseudoinverse, but circulant 
generalized inverses, the notion of dual is not well defined. Often, the weights of the 


generalized inverses differ and the generalized inverses are not unique. However, they 
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do correspond to a unique generalized inverse, which is the smallest in lexicographical 
order, via the congruence modulo the corresponding H’s in Theorem 3.5.6. This unique- 
ness is not readily recognizable in matrix form. Let us define the dual Boolean function 
corresponding to that unique representative of all generalized inverses. Using this notion, 
for singular Ay and A, without a pseudoinverse, but with circulant generalized inverses, 
the condition wt(A(f*)) = wt(A(g*)) does not hold. To illustrate this, letn = 7. We 
check that f = x, %2%3%5(SANF) and g = 21%2%3%6¢(SANF) are S-equivalent. The 
functions do not have pseudoinverses, but circulant general inverses. We computed all gen- 
eralized inverses that are circulant, and they are in the classes Ay = C' (1, 0,0, 0, 0, 0, 0) 


and A* = C’(1,1,0,0,0,0,0), respectively. Clearly, we have 


wt(A(f")) A wt(A(g")). 


We now consider the case of a converse of our previous theorem. For simplicity, we 
assume all indices are mod n. Let P and Q be permutation matrices. Then, it is known 
that if two circulant matrices A and B are P-Q equivalent, that is, PA = BQ, then AAT 
and BB? are similar matrices [63]. Moreover, it is straightforward to see that AA? = 
ijeatay G7, where A = C(a1,...,@n). This actually points to the importance of 
the differences a; — a;, which played a role in Cusick’s paper [55], which only addresses 
the MRS functions with wt(A(f)) = 3. Given a permutation 6, we let Ps be the row 


permutation matrix corresponding to the permutation 0. 


Theorem 3.5.14. [56] Let f and g be MRS functions with Ay = C(a1,...,@n), Ag = 
C(b,,...,6n), respectively. Let a permutation matrices P, for the permutation o and a 
permutation matrix Q, for the permutation T such that P, As = AgQ,. Then, wt(A(f)) = 
wt(A(g)) and ag(j)4i-1 = bra) 45-1. 


If Ay and B, are invertible, then we also have 


(Ay s55g On) SB ays eo Be a) 9 
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and 


where (Q1,..-,Qn) = A;* and (1,...,8n) = Aj". 


Proof. Let Ay = C(ay,...,@,) and A, = C(bj,...,b,,). We write 








Qg(1)  Ao(1)+1 Qg(1)-+n=1 
oy ee es ec Qg(2)-+n=1 
Qg(n) Go(n)t1 *** Go(n)+n—1 
bra) b-(2) b(n) 
A,Q, beajt1 O(a) 41 Dr (n)-41 
Br(ajtn—1 Dr(2)4n—1 °° Or(m)4n-1 


From P, Ay = A,@,, we derive 


Qo(j)+i-1 = yagi. 


We note that the first rows of P, Ay and A,Q, are the same. Also, the sets {a(1), (1)+ 
1,...,0(1) +n— 1} and {7(1), 7(2),...,7(m)} are simply permutations of {1,2,...,n}. 


Therefore, we see that 


wt (ao(1); Ag(1)+1) oes , Ag(1)+n-1) = wt(ar, aQ,..-- SOs Ns 


wt (b-(1), b-(2); fans ,br(n)) = wt(b1, bo, fos “Dye ly 
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and 


From Theorem 3.5.6, a; and 3; with 1 < 2 < n are unique with the property 


(1,0,...,0) 


(Gps x yy IC Cay a» Gin) 


(Once Oven WO eenOn NG (Cigecds Ua: 
We multiply the second relation by Q, from the right and obtain 


a 
e041 


Al i ewer a esperar one PN  e 
= (Bizs vig bale AF 


= (B.-1(1); fests AG) Ay. 


(3.5) 


(3.6) 


We multiply the last equation from the right by the permutation matrix Rjnyi—71), corre- 


sponding to the shift p"+!~7™), to rewrite the left hand side of (3.6) in the standard form 
p g p 


(1,0,...,0). Since Ryn4i-ray is also a circulant matrix, by Lemma 3.4.4, it will commute 


with A, and (3.6) becomes 


Ge 0, Aerie ,0) = (Bo-1(1), Bis, , Bo-n(1)) Rynvi-ray Ag 


= (Bo-2(y—rytts «+++ Botnet) Af, 


Since (a,...,@,) was unique with the property (3.5), 


(Gijcxs 0) = 1a Sha way) 
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where the indices are mod n. Since the indices above right are just a permutation of 


{1,2,...,n}, we immediately get wt(A(f*)) = wt(A(g*)). 














The previous theorem easily extends to the following corollary. 


Corollary 3.5.15. [56] Let f and g be two full-cycle MRS functions with the invertible 
classes Ay and Ag, respectively. Let A;* = Cian, Aa , Qn) and AS = C( Bi, ad Bap If 


f ~ gq, then there exists a permutation matrix P such that 


PGi ogy) = (Biiecsy Bays 
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4. MRS BOOLEAN FUNCTIONS AND GRAPHS 


4.1. INTRODUCTION 


The difficulty in the affine equivalence problem may be mitigated by establishing 
relationships to other disciplines in mathematics for possible solutions. Graph theory stud- 
ies the properties of a graph, which is a structure defined by a set of vertices (or nodes) 
and a set of edges which connect vertices to each other. Often, a graph representation of 
an algebraic structure helps us to visualize the complexity of the structure. One simple 
example is visualization of a Boolean function using a tree, which is a graph in which each 
pair of vertices is connected by a unique path. There have been many attempts to establish 
meaningful relationships between graphs and Boolean functions. One of the interesting 
connections involves bent functions and Cayley graphs. In [64], Bernasconi and Conde- 
notti showed that the Walsh transforms of some Boolean functions can be analyzed by a 
Cayley graph representation of Boolean functions. They later extended their finding to the 
characterization of bent functions, using strongly regular graphs in [65]. In 2007, Stan- 
ica [66] presented necessary conditions for bent functions and investigated the propagation 
criteria of Boolean functions, using the Cayley graph representation. In this chapter, we 
present some basic graph-theory material, briefly review the Cayley graph representation, 
and present a new graph representation of MRS functions and some analysis in regard to 


S-equivalence. 


4.2. EXAMPLE OF GRAPH REPRESENTATION OF BOOLEAN FUNCTIONS 


4.2.1. Definitions and Fundamentals of a Graph 

A graph G = (V, EF) is defined by a set of vertices, V or V(G) and a set of edges, 
E or E(G) = {{x,y}|x, y € V, anda F y}. If {x,y} € E(G), we say that x and 
y are adjacent. The number of edges that are incident with the vertex v is the degree of 


v, denoted by deg(v). Two vertices are connected if we can go from one vertex to the 
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other by traveling a path defined by the edges of the graph. A graph is connected if for 
every pair of vertices, there exists a path of edges connecting them. If a graph is not 
connected, it is disconnected. If each vertex of a graph G has the same degree, we call 
G a regular graph. A regular graph G is strongly regular if there exist two integers m 
and n such that every two adjacent vertices have m common neighbors, and every two 
nonadjacent vertices have n common neighbors. A graph G is bipartite if V(G) can be 
partitioned into two sets V, and V2 such that there exists no edge {v, w} with v, w € Vi 
or v, w € V5. A graph G is complete if E(G) contains all possible edges. We denote the 
complete graph on 7 vertices by K,,. Another special graph we use in this chapter is a cycle. 
In this thesis, we denote a cycle as |v, v2,...,Un| where {v1, v2,...Un} C V(G) and FE = 
{{U1, v2}, {v2, U3}, ---{Un—1, Un}, {Un, vi} }. Clearly, a cycle is a connected regular graph 
(or subgraph) of degree 2. Next, we give a formal definition of equality and isomorphism 


in graphs. 


Definition 4.2.1. Two graphs G(Vg, E,) and H(Vy, Ez) are equal if 


Vo _ Via and Eg _ Eq. 


The graphs G' and H are isomorphic if there exists a bijection 


f : Va — Vi, 
such that for any vertices u,v € Vo, {u,v} © Eg if and only if {f(u), f(v)} © Ex. 


Example 4.2.2. Let G, be the graph with V(G) = {1, 2,3, 4,5} and 

E(G,) = {{1, 2}, {1, 3}, {2, 3}, {2, 4}, {3, 4}, {4, 5}}. Sub-figure (a) of Figure 4.1 repre- 
sents a drawing of G. The graph G; is not regular, since deg(1) = 2 and deg(2) = 3. 
The graphs G'; and G2 are isomorphic by the permutation (1,5)(2, 4). The graph G3 is Ks 
and clearly strongly regular. The graph G, on the sub-figure (d) is the cycle [1, 2,3, 4, 5, 6]. 


However, it is not strongly regular, since the vertices 1 and 3 have one common neigh- 


Te 


bor 2, but vertices 1 and 4 have no common neighbor. It is bipartite, with the partition 


Vi = {Lar and Vo = {2, 4, 6}. 


(a) Gy (b) G2 
(c) G3 (d) Ga 


Figure 4.1: Simple Graphs 


4.2.2. An Example of Application of Graph Theory to Cryptographic Boolean 
Function 


There have been many attempts to establish relationships between graph theory and 
Boolean functions. One of the most interesting relationships involves affine equivalence of 


Boolean functions and Cayley graphs. 


73 


Definition 4.2.3. [4, p. 194] Let f be a Boolean function of n variables. The Cayley graph 
of f, denoted by I’; = (V, £), is defined by V = F} and 























E = {{v,w}|v, w € FS, v #w, and f(v @ w) = 1}. 





In [64], Bernasconi and Codenotti introduced the relationship between the Cayley 
graph representation of Boolean functions and affine equivalent classes of four variable 
Boolean functions. They established an isomorphism between the eight affine equivalent 
classes of the 4-variable Boolean functions and eight classes of regular graphs with 16 
vertices. Table 4.1 and Figure 4.2 illustrate their findings. They observed that, as the 
nonlinearity increases in the affine equivalent classes, the degree and connectivity of the 
matching graphs increase as well. Notably, Class V and VI graphs are degree 4-regular 
graphs, but Class VI graph is connected, whereas Class V is disconnected. A supplemental 


analysis of the relationship and other related materials can be found in [4, pp. 205—208]. 


4.3. A GRAPH REPRESENTATION OF ROTATION-SYMMETRIC BOOLEAN 
FUNCTIONS 


We recall that an MRS function has a cyclical structure in its algebraic normal form 
(ANF). Adopting this feature, we attempt to represent a Boolean function with a graph 
with a similar property. We observe that an MRS function is a homogeneous function 
where each multiplication term of variables can be represented as a cycle. For example, 
the MRS Boolean function f(x) = 21X23 8 ©2%3%4 DO 13X4X5 OD L4U5Xe6 O L5X6X1 O 
XgX1Xy Of six variables can generate six cycles on vertices 1 through 6, that is [1, 2, 3], 
[2, 3, 4], [8, 4, 5], [4, 5, 6],[5, 6, 1], and [6, 1, 2]. We can combine them, disregarding multiple 
edges, and obtain the graph represented in Figure 4.3. We note that the graph is regular but 
not strongly regular, since non-neighboring vertices 1 and 3 have the common neighbors 
vertices 2 and 5, but 1 and 4 have the common neighbors 2, 3, 5, and 6. 

However, this construction may present a problem with the ordering of variables. 


Consider the following example. 
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Class | Boolean Function 


I 0000000000000000 
II_ | 0000000000000001 
II =| 0000000000000011 
IV_ | 0000000000000111 
V___| 0000000000001 111 
VI | 0000000000010111 
VIL | 0000000100010111 
VII | 0000001101011001 







































































Class Walsh Spectrum 
I 0;0;/0;/;0]0/;0;0;0};,0;0}0;0]0;0;0) 0 
II 1/-1]-1/ 1 |-1] 1 }1)-1]-1) 1] 1 /)/-1] 1) -1/)-1) 1 
Wl }|2/0/;-2); 0)/-2)}0/2)0);)-2;0}2;,0/2)0) -2] 0 
IV |3]-1]-1}-1/-3} 1} 1) 1)3)1)] 1)21 43 /-1)-1)-1 
Vv 4/0|0/0]-4)}0;0;0|]-4;0}0;,0]4/)0;0)0 
VI |4/]-2}-2}0/-2}0/0/;2)-4)2)/2]0;2;,0)]0/) -2 
VIE }5)-3}-3} 1} -3) 1) 1) 1>-3) 1) 1) 1 )1) 1) 17) 3 
VIT | 6] -2 | -2/ 2 | -2) 2/2) -2) -2)2)-2)-2)-2;)2)2/) 2 



























































Table 4.1: Affine Equivalence Classes of 4-Variable Boolean Functions From [64] 











Example 4.3.1. Let f = x, 297304(SANF) € FS. Algebraically, 2727304 = %1%30%4. 





However, they generate two different cycles and hence two different graph representations 


as shown in Figure 4.4. 


This indicates that the cyclic representation of MRS is sensitive to the order of 
variables. In order to obtain a consistent graph not affected by this ordering problem, we 


introduce the following notion, adding an order property to the definition of SANF. 


Definition 4.3.2. Let f be an MRS function of n variables with the SANF 2;,%;,---X;,, 
where 1 < d < n. The ordered short algebraic normal form (OSANF) of f, denoted by 
f = %%;,-+-x;,(0SANF) or f = ||x12;,--+-2;,|| is the SANF 2;,%;,---x;, such that 


4, =land1l = <tg <-+++ <iq. 


By Definition 4.3.2, our scheme generates one and only one graph for each MRS 


Boolean function. 
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o_ oe oe 
(c) Class IT 
(d) Class IV 
= = = 
e e e e 
(e) Class V f “ T ’ [ if 
= eS 
(f) Class VI 
Ataee ee: AAA 
| Se Ae % $ - ¢ 
iva 1 HH 
ee yy 
(g) Class VII 
(h) Class VIII 


Figure 4.2: Cayley Graph Classes of 4-Variable Boolean Function From [64] 


Definition 4.3.3. A cycle combination graph (CCG) of an n-variable MRS Boolean func- 
tion f(x) = 71"p,vp,...xp,(OS ANF) with d < n, denoted by G; is a simple graph with 
V = {1,2,...n} and the edges of the cycles, 


[oso nd apices ¢ P| 


[2, P2 +1 mod n, P3+1modn,...,Pa+1 mod nj, and 


[n, Pp +n—1modn, P3+n-—1modn,...,Py+n-—1 mod n,], 
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aT 


2 


(a) Cycle 1 (b) Cycles 1 and 2 
| 
(c) Cycles 1-3 (d) Cycles 1 - 4 
(e) Cycles 1-5 (f) Cycles 1 - 6 


Figure 4.3: A Cycle Combination of an MRS Boolean Function 
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(a) 21 29%304(SANF) (b) 11 232904(SANF) 


Figure 4.4: Two Graphs Generated by the Same SANF 


regarding multiple edges as one edge. 


Remark 4.3.4. In order to make our algebraic operations for the indices work, we add an 
additional property to the modular arithmetic in this chapter. 


We set 


n mod n= 0. 
This gives us %) = &,, and we use the notations interchangeably. 


We observe that two Boolean functions in 6, form a relationship with respect to 
the CCG. The relationship satisfies reflexivity, symmetry, and transitivity. Therefore, it is 
an equivalence relation and partitions the Boolean functions of n variable into equivalence 


classes. 


Definition 4.3.5. Two MRS functions of same variables f and h are cycle combination 


graph (CCG) equivalent, denoted by f ShitG yf i8 isomorphic to Gp. 


MRS functions add interesting characteristics to the structure of CCGs. These char- 
acteristics originate from the cycles generated by shifting variables. Table 4.2 illustrates 


how shifting along the indices of the variables effect the cycles. 
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Rotation Vertex Index Shift 
P,=1 P» P, ee ee ewe Py 
2 Py+1modn Pz+1imodn | esse: P;+1modn 
3 Py+2modn Pz3+2modn | eeeee- Pi, +2 modn 
m Py+m—1modn |} P3+m—1modn Pi+m—1modn 
n—-1 Py +n—2modn | P3+n—2modn | ------ Py +n—2modn 
n Py3+n-—-1modn | P3+n—1modn |------ P,;+n—1modn 





Table 4.2: Vertex Structure of a Cycle Combination Graph of a MRS Function 


In order to analyze what happens at each vertex, we measure the distance from 


each variable in the monomial term to x,,. Let k; be the distance from xp, to x,, defined by 


k; =n -— P,. Therefore, we have 


Additionally, since we are working with the cycles derived from the variables of a Boolean 
function in ANF, we can measure the distance between the vertices in the following manner. 


Let r; be the distance between xp,,, and xp, defined by r; 


kg = 


n—-1, 
n— Po, 
n— Py. 
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Pyi1 — P;. Then, we have 





ry = Ph-P, 


hy = bo tee a 


Yad gat Ub a: 


where Py, =n+ 1. 


We focus on vertex |. Vertex 1 connects 2d times, as shown in Table 4.3. 


(4.1) 







































































Shift Vertex 1 and its Neighbors by Shift 
0 Pi P, = 1 Py» 
1 Pi+kg+1modn | Py+ko+1modn=1 | P3+kyg+1modn 
Z Py+k3+1lmodn | P3+k3+1modn=1 |) Rh+k3+1modn 
d-l1 | Py1+ka+l1lmodn|Pyt+tkg+1modn=1] PR+kg+1modn 














Table 4.3: Vertex 1 and its Neighbors 


By applying the descriptions of k; and r; with 1 < i < d, we see that a set of edges 


on vertex P; = 1, as justified below: 


{1,l47r1 (mod n)} 


{1,1l+4r2 (mod n)} 


41, Lary (mod. 1): 
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(4.2) 


By the shifting action of the CCG generation, the set of edges replicates on each 
vertex, depending only on r;,’s. Therefore, by an inductive argument, we can generalize the 


result for any vertex. Table 4.4 shows the neighbors of an arbitrary vertex m. 



































Shift Neighbors of Vertex m 
0 Pi +m—1modn m Py+m—1modn 
1 Pptko+mmodn | Py +kyo+mmodn=m | P3+ko+mmodn 
2, Py+k3+mmodn | P3+k3+mmodn=m | Pyt+k3+mmodn 





























d-1 | Pei tkatmmodn|} Pi tka tmmodn=m | PP +kg+tmmodn 























Table 4.4: 2d Neighbors of Arbitrary Vertex m 


Applying the same argument as for the vertex 1, we obtain the following neighbors 


{m,m+r, (mod n)}, 


{m,m+r2 (mod n)}, (4.3) 


{m,m+rq (mod n)}. 


This generalization suggests that the CCGs are regular, since a CCG is a simple graph. 


Theorem 4.3.6. Let f be an MRS function of n variables generated by £1 2p, ...%p,(OSANF) 
and G'; be the CCG of f. Then Gy is regular. 


In particular, G ; is 


{{l,l4r; (mod n)}|1 <i < d}|-regular, 


where r; are defined as in Equation 4.1. 
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Proof. By Equation 4.3, vertex 1 has 2d many edges, counting multiple edges, and the 
cardinality of 


{{l,l4r; (mod n)}|1 <i < d} 


gives us the number of edges at each vertex, counting multiple edges as one. Also, the 


degree of a vertex does not depend on the vertex, as discussed. Therefore, the claim holds. 














Generally, each distinct r; adds two edges to a vertex, except when the two edges 
coincide with each other. We see that the exception results in an r-regular graph, where r 


is an odd number. 


Corollary 4.3.7. Let f = x1». ...%p,(OS ANF) be a MRS function of n variables. Then, 
G; is t-regular graph where t = 2k, — 1 for some k, € N if and only if n = 2k» for some 


integer ky © N, and there exists 1 with 1 < 7% <d such that rj, = ko. 


Proof. (<) In line with Theorem 4.3.6, for an arbitrary vertex m, we have two edges 


{m,m + kg mod n} and {m,m — kp mod n}. Since n = 2k, 


m+ky mod n =m — ky mod n. 


Hence, r; = kz adds one edge to Gr. Additionally, any r; 4 kz adds two edges to 
G's. Therefore, Gy is t-regular graph where t = 2k, — 1 for some hk, € N. 

(=) First, we claim n is even. If n is odd, Theorem 4.3.6 implies that each 7; adds 
two distinct edges to a vertex. This contradicts that t is odd. In addition, if r; # kz for all 


i, then we see that r;’s add two edges to the vertex, which makes t even, a contradiction. 











Therefore, the claim holds. 





Using Table 4.2, we generate some possible configurations of graphs for MRS func- 
tions in Figure 4.5. They suggest that the CCGs for the functions of the order greater than 


three are generated by the union of CCGs of quadratic functions. However, when n = 5, the 
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(a)n = 2 


(b)n=3 





(c)n=4 


(d)n=5 


Figure 4.5: Isomorphic Cycle Combination Graph Classes n = 2 to 5 


CCG Ks is generated by two cycles [1, 2,3, 4, 5] and [1, 3,5, 2,4], which are the CCGs of 
4142(0SANF’) and x,23(OSANF), respectively, and they are isomorphic to each other. 
This shows that generating quadratic functions may be isomorphic in their CCGs. Further- 
more, Equation 4.3 suggests that we get a pair of edges from a quadratic function, which 


generates the CCG by shifting n times through the vertices. This implies that the space of 
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CCGs for n variable Boolean functions can be generated by the CCGs of quadratic func- 


tions, 


@122,(OSANF),2123(0SANF),..., and 212) »| (OSANF). 


Therefore, given n variable MRS Boolean functions, the maximum number of pos- 


sible CCGs is 


This gives us the following lemma. 


Lemma 4.3.8. Given n € N, the maximum number of CCGs of an n-variable MRS is 


bounded above by 2 Le], 


The bound in Lemma 4.3.8 cannot improve to equality, since we have cases where 
some unions of the quadratic CCGs are impossible under certain conditions. We illustrate 


this in the following example. 


Example 4.3.9. In Figure 4.6, the sub-figures (b) through (d) form a basis for the graph 
space for n = 6, which generates the rest of the CCG’s, the sub-figures (e) through (g). 
We note that the configuration in Figure 4.7 is not a possible CCG. The graph is a 
combination of G, and Gy in Figure 4.6. Therefore, we have to use the edges connecting 
two numbers apart by 2 or 3. This implies that we cannot complete a cycle in Figure 4.7 
without violating the order structure of CCG. In other words, it is equivalent to a partition 
on six identical objects with parts of two and three only, which is impossible. So far, we 
focused on the fact that the difference between the indices of variables generate two edges 
at a vertex of the CCG. We note that we just need one of the two edges, and so we can 


simplify the notion with the next definition. 


Definition 4.3.10. Let f = 1, xp,vp,...cp,(OSANF). Let r; be as in Equation 4.1. 
The distance set of f, denoted by DS(f), is the set 
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| 
Oo 
i_| 
(a) Ga (b) Gy 
i | 
oO 
(c) G, (d) Ga 
(e) Ge (f) Gy 











(g) Gg 


Figure 4.6: Cycle Combination Graphs n = 6 


{a;|a; = min(r;,n—71;), 1<i<d}. 
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Figure 4.7: An Impossible CCG n = 6 


We call a; a distance element of f. 
It is clear that each r; generates, at most, one distance element. 


Lemma 4.3.11. Let f be an MRS function of n variables whose CCG is an r-regular graph. 
Then, 


IDS(A)| = [5]. 


Proof. If nis odd, by the construction of CCG and Definition 4.3.10, each distance element 


generates two edges for a vertex of G', and so 


IDs(fl=5= [5]. 


However, if m is even, we consider two cases. If r is even, by the construction of CCG and 


Definition 4.3.10, each distance element generates two edges for a vertex of G's, and so 


IDS(f)| = 


NON 
I 
— 1 
Nis 
———_ 


If r is odd, by Corollary 4.3.7, we know 


5 € DSN). 
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and the distance element 5 generates only one edge (or two overlapping edges) while each 


of the other distance elements generates two edges. So, we have, 


IDs(fl= [5]. 














One of the characteristics of a quadratic MRS function f is that |DS(f)| = 1. 
However, not every MRS function f with |DS(f)| = 1 is a quadratic function. The next 
lemma addresses the case where a CCG of a quadratic MRS function is generated by a 


non-quadratic function. 


Lemma 4.3.12. Let f be an MRS function of n variable. Then there exists a quadratic 
MRS function h such that 


Gn = Gy 


if and only if 


f=2,r4g(OSANF) 


for some 2 < d < nor some non-quadratic MRS function f such that 


JDS(f)| = 1. 


Proof. (=) Assume the conclusion is not true. Then, we have |DS(f)| > 1. Since 
|DS(f)| > 1 generates more than two edges at a vertex of G'r, there exists no quadratic 


MRS function h such that 


Gr=Gy, 


which is a contradiction. 


87 


(<=) If f = 7, rg(OSANF), the conclusion is immediate. If f A r,r7qg(OSANF) 
and DS(f) = {k} for 1 < k < |#], we can set 


h=2,2,(OSANF). 














Example 4.3.13. Let n = 6, and 


fi = L1X2x(OSANF) 


fo = L1XLQX3X4L5X6(OSANF) 


hy = £1x3(0SANF) 


hy = £1X3L53(OSANF). 


Clearly, we have 


|DS(fi)| = |DS(fa)| = [DS(ha)] = |DS(ha)| = 1, 


Gr = Gy, 


and 
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Lemma 4.3.14. Let f = 7,2;2,(OSANF) be a cubic MRS function of n variables. Let a, 
b, and c be distance elements of x1x;(OSANF), 1 x%-i4:(OSANF), and x,x,(OSANF), 
respectively. Then, the following statements are true: 


(1) Ifa#b,a#c, andb <<, then 


G5 = Gyzy2,| U Gayze_iail| U Gicragl|- 


i+1\ 
(2) Ifa 4 band b=c, ora 4 banda =< then 

Gp = Gyjerea| U Grex pall 
(3) Ifa = band b # c, then 


GF = Gye,24| U Glicizel- 


(4) Ifa = b =< then 
GF = Gyei2i\- 


Proof. For all instances, it is clear that 


V(Gy5) = V(Gye,e,)) = V(Gherex_igill) = V(Gljereg|): 


So we focus on the equality of the edge sets. 


(1) Since a 4 b, a £ c, and b ¥ c, an arbitrary vertex m has the edges 
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{m,m+a_ (mod n)} 


{m,m+b (mod n)} 


{m,m+c (mod n)}. 


Also, each distance element generates a unique corresponding edge set. We have 


{i,j +@ (mod n)}[l <j < nf = E(Gjayx\) 


{{j, +6 (mod n)}|1 <7 <2} = E(Gyeyey_sait)) 


{{j, j+¢ (mod n)}|l <j <n} = E(Ghe,2,4))- 


Therefore, 


E(Gs) = E(Ge,e4|) U E(G renin) U E(G reg) 


i+1l| 


and the claim holds. 


(2) Since a 4 band b = c (ora F¥ band a = o), an arbitrary vertex m has the edges 


{m,mz+a_ (mod n)} 


{m,m+b (mod n)}, 
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Since the distance elements generate the following edges, 


{{j,j +a (mod n)}[l <j <n} = E(Gjayx\) 


{{j,j +5 (mod n)}1 <7 <n} = E(Ghereg_saill): 


Therefore, 


E(G,) = E(G\jx12:\|) U F(Ghjereg—igall)> 


and the claim holds. 
(3) The proof is similar to the one for (2). 
(4) Since a = b = c, an arbitrary vertex m has the edges 


{m,m+a_ (mod n)}. 


The distance element generates the following edges 


{{j, +a (mod n)}|1 <7 <n} = E(Gyey2;1))- 


Therefore, 


E(Gy) = E(Gye,2,\) 


and the claim holds. 
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When we create another MRS by adding another variable, we can increase the car- 
dinality of the distance set by at most two. Using this, we further generalize the idea of 


Lemma 4.3.14. 


Lemma 4.3.15. Let f = x,;2;2;(OSANF) and h = 2x;x;x,(OSANF) be MRS func- 
tions of n variable. Let a, b, and c be distance elements of x;x;(OSAN F), £1 X,~j41(OSANF), 
and «,x;,(OSANF), respectively. Then, the following statements are true: 
(1) If DS(h) = DS(f), then 
G;,= Gy 


(2) If |DS(h)| = |DS(f)| + 1, and a is a redundant distance element of f, then, 


b=c 


and 


Gr = Gf UG yereall- 


(3) If |DS(h)| = |DS(f)| + 1 and a is not a redundant distance element of f, 


bec 


and 


Gr = GpUG Iara jal] YU Clerval — Glee: 


(4) If |DS(h)| = |DS(f)| + 2, ais a redundant distance element of f, 


bec, 


and 
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Ga = Gp U Gi ny jaa) U Clleseell — Gere: 


Proof. For all instances, the function h is obtained by removing the distance element a and 
adding the distance elements b and c. We can construct G), from G’,, tracking the changes 


from DS(f) to DS(h). Clearly, 


V(Gy) = V(Gh). 


We also have a general construction of the edge set of Gp. 


E(Gh) = E(Gy) U EG esex—s4al)) U E(Gij2,25|)) = E(Gx12;||)- 
(1) Since DS(h) = DS(f), we have 
E(Gy) = E(G 5) — E(G heres); 


and 


E(Gy) 2 EG hsog_ja|]) U E(Giierzall)- 


Therefore, 


E(Gy) = E(Gh). 


(2) Since a is a redundant distance element of f, 


E(G5) = E(Gz) — E(Gjor25\)- 


Since |DS(h)| = |DS(f)| +1, b =, or equivalently 
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EG ) = E(Gjerax)- 


en 


Therefore, 


Gr = Ge UG Yay 24: 


(3) Since a is not a redundant distance element of f, 


E(Gs) D E(Gy) — E(Gjar2;I/)- 


Additionally, |DS(h)| = |DS(f)| + 1. So, we have to have b ¥ c. Therefore, 


E(Gn) = E(Gs) — B(Ghjere) U ECG ya 4_j41|]) YU 2 (Geren): 


(4) If a is not a redundant distance element, or b # c, we have DS(h) = DS(f)+1 


at most, which is a contradiction. Clearly, 


E(Gh) = ECGs) — E(Gjezs)) U ECG a4 541[]) YU 2 (Geran) 











and the claim follows. 





We extend Lemma 4.3.15 to the next theorem, whose proof is omitted, since it is 


somewhat similar. 


Theorem 4.3.16. Let f = 122% ji3 +++ Li(p—1)Li,(OSANF) and h = 21% j2%j3 +++ Vik Vi(n41) 
(OSANF’) be MRS functions of n variables. Let a, b, and c be distance elements of 
LX. (OSANF), £1 Xi¢n41)-ik+1(OSANF), and £1 %4(%41)(OSANF), respectively. Then, 
the following statements are true: 


(1) If DS(h) = DS‘(f), then 


CrSGp 
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(2) If |DS(h)| = |DS(f)| + 1, and a is a redundant distance element of f, then, 


b=c 


and 


Gp = GrUGi as, 


i(k+1) | , 


(3) If |DS(h)| = |DS(f)| + 1 and a is not a redundant distance element of f, 


DEC 


and 


Gh 7 oe : Caen ee | G ieee || - Gliervanll 


(4) If |DS(h)| = |DS(f)| + 2, then a is a redundant distance element of f, 


b# G 


and 


G), = GsUG),,, 


i(k+1)—ik+1 || U Ciel _ Gjer2ie\|- 


The following theorems can be proved by fundamental number- and graph-theoretic 


techniques. 


Theorem 4.3.17. Let f be an MRS function of n variables. If G is disconnected, then 


1 € DS(f), and every element in DS(f) divides n. 


Proof. We prove this by contradiction. First, if 1 € DS(f), Gy clearly contains the cycle 


[1,2,...,n]. Therefore, it is connected, which is a contradiction. Also, if there exists a 


distance element a of f such that a { n, a is a generator of the group Z,, with respect to 


addition modulo n. And, we see that the following set of edges form C’,: 
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{{1,1+a}, {1+ a,1+ 2a mod n},...{1+ (n —1)a mod n, 1+ na mod n}} 


= {{1,1+a},{1+a,1+ 2a mod n},...{1+ (n—1)a mod n, 1}}. 


This contradicts the fact that G'y is disconnected, since C;, € Gy implies G'y is connected. 
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Figure 4.8: CCG of f = 712326%9(OSANF) 


The converse of the previous theorem does not hold, since there are instances where 
we can form a connected CCG with the nonzero distance elements that divide n. For 
example, let n = 12. Then, f = x1 1%3%6%9(OSANF) has 1 ¢ DS(f) = {2,3,4} and 
2|12, 3|12 and 4/12. However, G'y is connected, as seen on Figure 4.8. Next, we present a 


case where a CCG happens to be a complete graph. 
Theorem 4.3.18. Let f be an MRS function of n variables. Then, G's is complete if and 
only if DS(f) = {1,2,..-;|2|} 


Proof. (=) Since Gf is regular, we make a case for the vertex 1. Since G+ is complete, 


vertex | is incident to the set of edges edges 
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fA LO ele Ops e ney Le. 


By Definition 4.3.10, 


DS(f) = {min(2—1,n-—1 - 2), min(3 —1,n—1-3),...min(n—1,n—n-+1)} 


(<) By definition 4.3.10, the vertex 1 has a set of edges 


{1,1 £1 mod n}, {1,142 mod n},..., {1,14 [5 ]} 


= At lh fd 2d 














Corollary 4.3.19. Let f be an MRS function of n variables. If G = Ky, then deg(f) > 
ae 

Proof. By Theorem 4.3.18, |DS(f)| = ||. Therefore, f needs at least || variables in 
its OSANF. 
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5. TWO CONSTRUCTIONS OF BOOLEAN FUNCTIONS WITH 
GOOD CRYPTOGRAPHIC PROPERTIES 


Saks INTRODUCTION 


The two key factors in designing cryptographic Boolean functions are security and 
speed. We achieve security by having good measures in as many cryptographic properties 
as possible for the Boolean functions in a cipher, such as balancedness to resist statistical 
attacks, high nonlinearity to address linear cryptanalysis, high algebraic degree against al- 
gebraic attacks, correlation immunity and resilience to deal with correlation attacks, and 
algebraic immunity to resist (fast) algebraic attacks. Speed is another important aspect, 
since we desire fast encryption and decryption. For example, the Carlet—-Feng function has 
good cryptographic properties, but compared to other functions, it is not simple to gener- 
ate or implement. This may cause certain ciphers to underperform. Security and speed 
often conflict with each other, since higher security usually implies slower speed. Here 
we present two constructions for good cryptographic Boolean functions, using a crypto- 
graphically strong base function, and three simple Boolean operations, namely affine trans- 
formation, concatenation, and complementation. One of the significant benefits from this 
construction is the flexibility to choose a base function with customizable cryptographic 
properties. We achieve security from the inherent qualities of the base function and ob- 
tain speed by the simple Boolean operations. In Chapter 6, we give applications for our 


constructions. This chapter is based on Chung, Stanica, Tan, and Wang [27]. 


a CONSTRUCTION TECHNIQUES OF CRYPTOGRAPHIC BOOLEAN FUNC- 
TIONS 


In this section, we review fundamental construction techniques for cryptographic 


Boolean functions. 
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5.2.1; Concatenation 

Given two base Boolean functions of f and g, both belonging to B,,, we can con- 
struct another Boolean function, h € 6,;, by concatenating their truth tables. We note 
that since the new function has to have 2”*! elements in its truth table, the two functions 
concatenated must have the same number of variables or be the same length. To illustrate 
this point, ifh = f || g,h € Br, f © Bri, and Byz with k1, k2 © N and kl # k2, we 
have 2% = 2'1 4 2h? — Qk1(1 4 2*1-k2) This implies 2* has an odd factor, which is a 


contradiction. Therefore, we provide the following preposition. 


Proposition 5.2.1. Let f and g be two Boolean functions. If h = f || g, then f and g have 


the same number of variables. 


Concatenating two Boolean functions introduces a new variable to the ANF of the 
concatenated function. The following useful lemma illustrates how we can obtain the ANF 


of the new function from the ANFs of the base functions. 


Lemma 5.2.2. Let f, g © By. Ifh = f || g withh © By, then 


A(x) = (%n ® 1) f(Kn-1) ® Lng(Xn-1), 


Where Xi = (Gi Pon A aN = (Ts aa 


Example 5.2.3. We illustrate Lemma 5.2.2 with two functions f and g on Table 5.1. We 


can convert the truth tables to ANFs as below. 








g(x) =1 O21 O23 O £1 LX O Lots O L1L9X3 


We confirm the following equation of ANFs of the functions using Lemma 5.2.2 


and Table 5.2. 
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Table 5.1: Truth Table of f and g 


h(x) = (r4 D 1) f (Sai) QD L4g(Xn-1) 





= 1% O%20%3 O40 1%1X3 OB L2%3 D Lo%4 BX UX2X3 OX L2X4 DP M1 X3V4 






























































Tq | 3 | 2 | X1 | h(x) | Lq | 23 | L2 | t1 | h(x) 
0, 0/0] 0 0 1|}/0;0)]0 1 
0|;0;0/] 1 1 1;/0;0] 1 0 
0;0;1/0 1 Oe) a bi 1 
0;0]14 1 0 1/0; 14) 1 1 
0}; 1/,0/0 1 1}; 1/0/]0 0 
0; 1,04 1 1 1 1/0; 1 1 
0; 14140 1 1 1/1/)]0 1 
Oo; 11 1 0 1 1/1 1 0 
Table 5.2: Truth Table of h = f || g 





The following theorem by Siegenthaler shows that a technique as simple as con- 


catenation can be used to preserve certain cryptographic properties. 


Theorem 5.2.4. [23] Jf Boolean functions f, g € By have correlation immunity of order 


k, then h = f || g has correlation immunity of order k. 
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5.2.2. Kronecker Product 


The Kronecker product is a matrix operation that takes two matrices of arbitrary 


size and outputs a block matrix. 


Definition 5.2.5. Given A = {a,;}, an m x n matrix and B = {b,,}, ap x q matrix. The 


Kronecker product of A and B, denoted by A ® B is an mp x nq matrix, 


a,,B ees Ain 
A@®B = 

Qm1iB +++ AmnB 

ayiby, + *: CiyDig 

Am1bp1 ae enn Opg 


The Kronecker product can be used to generate a higher-dimensional bent functions 


from a base bent function. 


Theorem 5.2.6. [67] Let a 4k-dimensional column vector x represent the truth table of a 


bent function with k = 1,2,.... Then, 


Z=xX®&xX 


is a bent function expressed in a 16k?-dimensional column vector. 


In another example, the Kronecker product is a key concept to prove the following 


theorem, which addresses a construction of bent function. 











Theorem 5.2.7. [67] Let two Boolean functions f and g such that f : F} —> 





















































with z = x|ly is bent if and only if f and g are bent. 
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Fy and g : 





fF” —» Fy. Then the Boolean function h : F3*" —+ Fo, defined by h(z) = f(x) © g(y) 


This theorem shows how a Boolean function of 2k variables, f(x) = r1%72@x13%4® 
-++@ Lop-1L2~ With k > 1 is bent. The direct-sum method is a key component of various 
bent function constructions including the constructions of Maiorana and McFarland [68], 


[69], and Carlet [70], [71], and Canteaut et al. [30]. 


5.2.3. Affine Operations 


We can integrate various operations that are conceptually linear to a construction 
method to have significant effects. For example, linear transformation of variables, com- 
plemetation of domain or function values, and adding polynomials are frequently used for 


construction and analysis. 


Example 5.2.8. If a Boolean function f is bent, then f 6 / is bent for any affine function 




















1 [4, p. 83]. Let A be an n x n invertible matrix over F; and v € F4. If a Boolean 








function f of n variables is bent, then g(x) = f(Ax @ v) is bent [4, p. 84]. Therefore, 
h(x) = f(Ax @ v) @ Lis bent as well. 


Dive TWO CONSTRUCTIONS TO ADDRESS SECURITY AND SPEED 


We introduce two constructions [27] based on functions f; € B,—2 where i = 


1D cig 


Construction 1. 














For {7, 7} = {1, 2}, we define the functions on F?: 


irae alec ale cram cae ee eal crm ca We ca|iecal Decora | lecalancalere 


AGG fs AAG AIBN A A AGMA A 


Construction 2. 
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For {7, 7} = {1, 2}, we define the functions on F 














ii | ie fi | i; | fj | be 


We observe that some functions in the constructions are affine equivalent to each 














other. For example, given two functions u and v of n — | variables with x € F%, 








= (Ln B1l)uD Lav O In 


by Definition 3.2.1. Therefore, 


u||lu~u| o. 


Also, 


(u |] o)(x) = (Collu(x@ ©... 


due to the lexicographical order of domain. So we have 


ulluroliy, 


where ~ signifies affine equivalence. 
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(u || v)(x) @ an 


,0,1)) 


By setting u = f; || f; and v = f; || f;, itis clear that u || vo = fi || fj ll fi ll F 
is affine equivalent to u || « = f; || f; || fi || f;- By similar arguments, we have for 


Construction 1, 


FAA AM A 


AIGWAWIA ~ Fill fill fll fi 


A AAW A 
and 
a eraleealee 
FANG te Fell Pe elliges 
fill fil fe Wf 
For Construction 2, 
AIGNAIA = AlAW AAO! 
and 
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AlGWGWA = Al AN AN ASI, 


Therefore, we have 


PAGAL ~ AIGA 


and 


FIG GA ~ AGW WA. 


There have been some constructions which use some components of our construc- 
tions. For example, the bentness, the resiliency, and the normality properties of concate- 
nated bent functions were considered in [72, 73]. The normality of f; || fo || fo || fi 
for arbitrary function f; with 2 = 1,2 is mentioned in [74]. Our constructions address 
the instance where f;’s are affine equivalent to each other, and we cover other configura- 
tions. Moreover, we explore more than the normality of the functions. f € B,, satisfies 
the high degree product (HDP) of order n if, for any non-annihilating function g of degree 
1 <e< [n/2] —1, the degree d = deg(gf) satisfies e + d > n [75]. In [75], Pasalic 
introduced a concatenation of four functions which requires each function to have maxi- 
mum algebraic immunity, to show that the notion of HDP can measure resistance to fast 


algebraic attacks. 


Remark 5.3.1. In [76], Wang et al. demonstrated that the construction based on a four- 


function concatenation in [75] does not always produce HDP function. 
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5.4. CRYPTOGRAPHIC PROPERTIES OF THE TWO CONSTRUCTIONS 


We start with algebraic immunity and nonlinearity. To set the stage for these prop- 
erties, we take a look at the Walsh-Hadamard transform of the functions. The relationship 
between Walsh-Hadamard transform and the function formed by concatenating two or four 
functions of the same variables are well known. We generalize the relationship and present 
the next lemma, which describes the Walsh-Hadamard coefficients of g (in some dimen- 


sion) to the Walsh-Hadamard coefficients of its 2~* (k > 1) concatenated parts. 


Lemma 5.4.1. [27] [f 9(X, n4i,---;Unsr) = filx)|| fox) |] -- + || for (a) = | feo, then 


== WY eu I ee pel) ae tra ene ee V9 (a) 














where r € N, a(k) is the kth lexicographically ordered vector in F5, and u! = (Un4i,.-+;Untr): 


Proof. We show our result by induction on r. If r = 1, 


W,(u, Un+1) = se (—1)9@tet1) + extuntien+1 


(x,an41)E€Fg*t 


Sr Cnites s (ayes SO Cayetere 


xeFS xeFS 


= W,,(u) + (-1)"""W,, (u). 


For the induction hypothesis, we assume, 
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or 


W,(u, tnti,---;Untr) = >_(-1)?'W,, (u), 


k=1 


for 


grtl 


I" (%, Bnpis++-s ners) = fix) AC)|l +++ I fer) = gllg! = | AG), 





where g' = for41(X)|| for+2(X) |] «++ || fort (x). 


Then, we have 


Wor(u, Untl)+-> » Uner41) 


= W,(u, Un+1)+°> ae) + (—1)*"HW,-(u, Un+1)+°> eer) 


=i WV jg (ua) abe dL) WY (See EW) 











which shows our result. 





The next lemma shows what happens to algebraic immunity when XORing two 


functions. 


Lemma 5.4.2. [77, Lemma 1] For any f € B,, and anyl € Ay, 


Al(f) -1< Al(f 1) < AI(f) +1. 


In general, for any f € B,, and any function h € B,, with deg(h) = k, 
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Al(f) —k< Al(f @h) < AI(f) +k. 


The next lemma shows how algebraic immunity behaves when concatenating two 


functions. 


Lemma 5.4.3. [77, Proposition 1] Let g,, g2 be two Boolean functions in the variables 
L1,-++,2n with AI(gi) = dy, AI(g2) = do, and let g = (1 6 Xn41)91 B Fnsige € Brit. 
Then, the following hold: 

If dy # dy, then AI(g) = min{d,, dj} + 1. 

If dy = do(=: d), thend < AI(g) < d+1. Further, AI(g) = d if and only if 
there exists f,, fo € By of algebraic degrees d that either both annihilate g,, 92, or both 
annihilate 91, G2, and deg( fi ® fo) <d—-1. 


For our next result, we let f; € 6, 2 in Construction | and 2 be any balanced 


function and f(x) = f:(Ax @b), where A is an (n — 2) by (n — 2) invertible matrix over 


























F, and b is an (n — 2) dimensional vector over F2. We note that, since f;, and f> are affine 


equivalent, we have deg(f,) = deg(f2), Al( fi) = Al (fo) and nl(f,) = nl(fo). 


Theorem 5.4.4. [27] Let f © B,, be given by Constructions 1 or 2. f,, fo € Bn—2 are 


nonconstant and affine equivalent. Then, f is balanced. 


deg(f) = max{deg(f;), deg(fi © fo) + 1}, 


and 


AI(f) > min{Al(fi||f2), AL(fillf2)} = AL(fi). 


Moreover, 


nl(f) = 2"? + 2nl(fi), 
for functions in Construction 1, and 


109 


for functions in Construction 2. 


Proof. We prove the result for Constuction 1 for two cases, since the others are similar. 


First, let f = f,||fol|fi||,f2 . We observe that 


f = (1 ®1)(fi || fe) @2n(h Il fe) 


(Ln B 1)((fn-1 © 1) fr ® Fn-r fe) 


O2y((tn-1 © 1) fi, O2a=1( fo @ 1) 


= Bef Oi OS Pat fo Pn Fai 


(fi Il fo) @ tn®n-1. 


Since f; and f2 are nonconstant, 


deg(f) deg (f1|| f2) 


max{deg(f1), deg(f1 © f2) + 1}. 


Since 


(fill f2)(Xn—1) = (fill fe)(Kn-1) ® Ln—1, 
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where X)_1 = (1, %2,.--,2n_1), by Lemma 5.4.2, 


|AT(fillfe) — Al(fillf2)| < 1. 


So, we check two possibilities. 


If AI(fi|| fe) = Al (fill fo), by Lemma 5.4.3 


AI(f) = Al(fil|fe) = AT(fi)- 


If |AZ(fil|f2) — Al(fi||f2)| = 1, then Lemma 5.4.3 shows that 


Al(f) =min{d,d+1}+1=d+1, 


where min{ AI(f;||f2), AI (fil|fo)} = d. 
Second, let f = f1||fo|| fo||f1. Then, 


f = (1 ®1)(fi || fo) ® tn(fa Il Ai) 





Sore fir Oye eC eo eet 


= (fi | fa) @ tr(fi ® fo ® Ln-1). 


So, we have 


deg(f) = deg(fil| fa) 


= max{deg(fi), deg(fi ® f2) + 1}. 


111 


The algebraic immunity computation does not change in this case. 
To find the nonlinearity, we consider only f = fi|| f2||fil|f2 of Construction! since 


the proofs for the other cases are similar. Using Lemma 5.4.1, we obtain 


W5(U, Un-1; Un) = Ws, (u) + (-1)"" "Wy, (u) 
+(-1)""W,,(u) + (1) W;, (a) 


(1 + (—1)"") Wy, (u) + (-1)"" (1 — (-1)™") Wp (a). 


Thus, W/(u, Up—1,0) = 2W,, (u) and W;(u, up_i, 1) = 2(—-1)"" Wy, (u). It follows that 


max |W 5(u, Un-1,Un)| = 2 max, |W, (u)| = 2”-1 — Anl(f;)). 
ucFy 


(ujun—1 Un) EFS 


Therefore, 


nl(f) = 2°"? + Qnl(fr). 


Next, we take two cases of Construction 2, as they are slightly different. The other 
cases are similar to these. 


Case 1. Let f = fi||fol| fi || fo. As above, 


W7(U,Un—1,Un) = Wy(u) + (-1)" "We, (u) 
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Case 2. Let f = fi || fo|| fol. fi. Then, 


W;(u, Un—1) Un) = Wr (u) (—1)"""* Wy, (u) 


HL) Wea) lye Cw) 


(fas) Waa (Caer NG) 


| 
—— 
re 
| 
nes, 
_ 
a 
Se 
3 
+ 
Ss 
3 
| 
B 
SS” 
ry 
= 
am 
Re 
= 
Nace 
+ 
nny 
| 
re 
eee: 
iS 
3 
. 
oy 
Fate 
ll 
~~" 


Regardless of the case, we see that for Construction 2, we have 


max |W (Ud, Un—1,Un)| = 4 max. |Wy,(u)| 


(U,Un—1,Un)EFF ucFr~? 


= 2"—8nl(fi)); 


which renders 


nl(f) = 4nl( fi). 














We note that the nonlinearity in Construction 1 is much better than that of Con- 


struction 2 with n > 3. It is attributed to the following reasoning. Since f; € B,_2, 
nl( fi) < gn-3 — gn/2—2 < gn-3 


Therefore, 


nl(f) = 2"? + 2nl( fi) > 4ni( fi). 


As for the algebraic immunity, in most cases, deg(fi(xA @ b) @ f,) = deg(f,). That is, 
deg(f) = deg(f,) + 1. By Lemma 5.4.3, it is usually the case that 
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Al(fil| fo) = Al(fi) +1. 


That is, 


Alf) 2 Alf) 


Also, we note nl(f) is much better than nl(f,). Additionally, the fast correlation attack on 


f has an on-line complexity proportional to (4)? where e(f') = ute) = 5 is the the bias of 


nonlinearity [20]. The bias for Construction | is 








/ 1 
df) = MD? 
ey aero eee) 





SDN Dee: Dy 
This shows our constructions improve against correlation attacks when compared to the 


base function. 


Proposition 5.4.5. [75, Proposition 1] Let f = fy || fo || fs || fa be an element of By +2 
where n is even. Let f; € By, withi = 1,...,4 have maximum algebraic immunity, that is 
Al(f;) = Ei Let f, be such that for any function g of deg(g) = e, e € 1, | — 1, 
we have deg(fig) =d > Al(f,), ande+d>n. Also let f, = f3 1. Then 


n 


AI(f) = [5 


[+a 


which shows that f has maximum algebraic immunity. 
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Using Proposition 5.4.5, we can further infer that if we take f,, fo € B, with 
nm even of maximum AJ, with the property that for any function g of algebraic degree 
l<e< I ~ 1, we have deg(f,g) =d > AI(f,) ande +d >n, then f = fi|| fall fullfo 
has maximum AJ. The Boolean functions with maximum algebraic immunity are called 
perfect algebraic immune (PAI) [78]. Liu et al. introduced the notion of PAI and showed 
that if f; is a balanced PAI, then n = 2* + 1 for some k; if f; is unbalanced, then n = 2*, 


for some k [78, Theorem 7]. Next, we present the results related to normality of our 


constructions. 


Theorem 5.4.6. [27] Let fi, f; € Bn—2. If f; or f;, whichever does not have its comple- 
mentation in Construction 1, is k-normal, then the functions f of Construction 1 are at 


least (k + 1)-normal. 


Proof. Due to the affine equivalence to f;, f; is k-normal. If f; is invariant, say 0 on a 
k-dimensional flat, then fi is invariant with 1 on the same flat, which shows that fi is k- 
normal. We prove for the case f = fil|fjl| fill; only, since the others can be shown by 


similar arguments. We show the existence of a (A + 1)-dimensional affine subspace where 





an—2 


f(x) is a constant. Let z,...z, © be & distinct, linearly independent vectors in F5~°, 

















mr 


d = (d,,d2,...,dn—2) be a vector in F}~°, and a; € F2 be for 1 < i < k. We define a k- 















































dimensional flat G = {x € F}-? | x = yz, tagz% +--+ +a,2,+d, a; = Fo, 1 <i < k} 
such that f;|¢ = 0. In construction of f, we integrate two variables, x,_; and x, into the 
domain of f;, and we can construct a (k + 1)-dimensional flat in the following way. Let 


Zi = (211; 2125-++, 2(n—2)) where 1 <1 < k. We set 


/ 
Zi _ (zu, Z12y ++ +5 ZU(n—2)5 0, 0), 


and 


dd joie do 00) 
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/ / yn 
where z,,,,, d’ € Fy. Then 























ny / / / / nN : 
G’ = {x’ € Ff | x’ = az, + doz +--+ 4+ Gei1Z,4, +d’, a = Fo, 1 <i<k+1}. 











If a vector x’ € G’ with a;,, = 0, then f follows the first f; in the construction. If a vector 


x’ € G’ with az4, = 1, then f follows the third f; in the construction. Therefore, G’ is a 











(A + 1)-dimensional flat such that f |g: = 0. 





Generally, it is difficult to establish a proper limit to the normality of a function. Let 
f; or f;, whichever does not have its complementation in Construction 1, be k-normal but 
not / + 1-normal, and we show that the function f of Construction 1 cannot have a constant 


function value on the k + 2-dimensional flat H = {aje;, ®--- B agy2€;,,, B d}, where 











d = (y1,..- Yn) isa fixed vector in F} and e;,, = (#1,...,£,) is an elementary vector such 





that 2; = 1 if and only if 7 = i, with 1 <i, <n. We assume f = f\| f;|| fill,f since the 


others can be shown by similar arguments. Let us also assume that H exists. We observe 








that y;,, 1s irrelevant (whether it is 0 or 1) due to e;,,, so we set d with y;, = ... = yi, yg = 0. 


To illustrate better, we rewrite the restriction of our function to H as follows: 


f(®la = (nf; ® Cn-1fj)||(En-1Fi B Un-1F;) | 


SS nts gt fa) a te ¥n—1f;) | x 


= Fn-1(Enfi B Infi) B Un—1(Enfj B Inj) |w 


= i Oly ti OP ee Bait a: 


Without loss of generality, we assume f(x) = 0 for all x = (a1,...,2%,) € H, and 


we examine the following cases, depending upon the values of x,,_; and xy. 
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Case 1:n—1, 7 € {t1,%2,...,%n49}. Then x,_1 = d,_1, and d, = x,. We observe that 
for all possible values for x,,1 and x,,, f | is one of the functions, f;, f;, or fi. Since each 
function is only k-normal, there exists at least one x €H such that f(x)|q7 = 1, whichis a 
contradiction. 

Case 2: n-—1 ¢€ {t1,%2,...,tn42} and a, © {%1,22,...,ip42}. Then t,_1 = dy_y. If 
Xn—1 = O, then regardless of the value of x,,, f | follows the function, f;. We note that we 
can only increase the normality to k + 1 using x, since f; is k-normal. Therefore, there 
exists at least one x €H such that f(x)|q7 = 1, which is a contradiction. If z,_; = 1, f |y 
follows the function, f; with x, = 0 or fi with x, = 1. Clearly, f |; is at most k-normal, 
since f; = f; © 1. So, there exists at least one x €H such that f(x)|y = 1, which is a 
contradiction. 

Case 3: n € {t1,%2,.--, tera} and Gp_1 © {t1,%2,.-.,%e42}. Then d, = xy. If rz, = 0, 
then f | follows the function, f;||f;. Also, if x, = 1, then f | follows the function, 
fill fj. In both instances, we can only increase the normality to k + 1, since f;, f; and f; 
are k-normal. 

Case 4: &n—1, Un © {i1, %2,..-,%n42}. In this case f | follows flat MSA; |77, and any two 


vectors x’, x” € H in the forms of x’ = (a1,...,@n—2,1,0) and x” = (b),...,bp—2, 1,1) 











with a;, b; € Fo, 1 < i < n — 2 have opposite function values. Therefore, we have a 





contradiction. 
Under what conditions the functions of Construction | is k + 2-normal remains an 
open problem. Using a similar approach, we can show a similar result for the functions of 


Construction 2. 


Theorem 5.4.7. [27] Jf f; is k-normal, then the functions f of Construction 2 are k or 


k + 1-normal. 


Proof. We prove for f = fi|\|f;\|fil|f; since the proofs for other cases are similar. Since f; 


is k-normal, f is at least k-normal. Also we observe that if f; = f;, then we have 


f= fllAllAllfi- 
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Using the same technique in Theorem 5.4.6, we show the existence of a (k + 1)- 


dimensional affine subspace where f(x) is a constant. Let z),...z, € be k distinct, linearly 

















independent vectors, d = (d,, d2,...,dn—2) be a vectorin F}~”, and a; € F2 be forl <i < 




















k. We define a k-dimensional flatG = {x € F-? | x = a,z,+a9%.+---+a,z,+4, a; = 




















Fo, 1 <i < k} such that f;|\¢ = 0. In construction of f, we integrate two variables, 
Xn—1 and x, into the domain of f;, and we can construct a (k + 1)-dimensional flat in the 


following way. Let z) = (21, 212, --- 5 2u(n—2)) where 1 <1 < k. We set 


/ 
Zi = (Zu, F12) ++ +5 FU(n—2)s 0, 0), 


rae =a (0 ere! 6) 


and 


d’ = (dy, do, sae 90/0) 














/ / Ny 
where z,,,,, d’ € F}. Then 





























G’ = {x' € FQ | x’ = az, t+ doy + +++ + Oe41Z,4, +d’, a = Fo, 1 <ick+ 1}. 


If a vector x’ € G’ with a;,,, = 0, then f follows the first f; in the construction. If a vector 


x’ € G’ with az4, = 1, then f follows the second f; in the construction. Therefore, G’ is a 














k + 1-dimensional flat such that f |g = 0. Therefore, the theorem holds. 


We also present a similar result on the normality of the functions of Construction 2. 
Let f; in Construction 2 be k-normal but not & + 1-normal, and we show that the function 


f of Construction 2 cannot have a constant function value on the / + 2-dimensional flat 














H = {aje;, © ++: DB ap+2€i,,, B d}, where d = (y1,...Yn) is a fixed vector in Fy and 
€;,, = (@1,.-.,2%») is an elementary vector such that x; = 1 if and only if 7 = i,, with 


1 < im <n. We assume f = fi\\f;||fil|f;, since the others can be shown by similar 
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arguments. Let us also assume that H exists. We observe that y;,, is irrelevant (whether it 





is 0 or 1) due to e;,,, so we set d with y;, =... = Y,,, = 0. To illustrate better, we rewrite 





the restriction of our function to H as follows: 


f@lz = Guafie 45s) (aah @ Gay) | 


= Tiles ® baid;) ® Peele fe ®B Pa nfs) |x 


= £y-1(Enfi DB Infi) B Mnr(Enfy OB tnfj) OB In | 


=) fp OP @iaile O teil; @ tn | He 


Without loss of generality, we assume f(x) = 0 for all x = (a1,...,2%,) € H, and 
we examine the following cases, depending upon the variables, x,,_; and x,,. 
Case 1:n—1,n ¢ {i1,%2,...,ie-2}. Then 2,1 = dp_1, and d, = 2». We observe that, 
for all possible values for x,_; and x, f | follows one of the functions, f;, Es fj, or fj. 
Since each function is only k-normal, there exists at least one x € H with f(x) = l,a 
contradiction. We note that the other instances where 7,1 = Yj;,, OF Ln = Yi,, are covered 
by the other cases. 
Case 2: n—-1 ¢ {i1,%2,...,tp4o} and ry © {t1,%2,...,%g42}. Then tp_1 = dp_1. If 
In-1 = 0, f | follows the function, f; or fi. We know each function is k-normal. Since f; 
and f; have opposite function values in H, there exists at least one x € H with f(x) = 1, 
a contradiction. If z,_1 = 1, f |q follows fj, or fis the same justification applies, and we 
have a contradiction. 
Case 3: 7. @ (14, %0,«:+, to} and G__1-€ {11,225 1449}. Then d, = a, If gz, = 0, 
then f | 7 follows the function, f;|| f;. If 2, = 1, then f |z again follows the function, f;|| f;. 


In either case, we can only have a &: + 1-normal function, which is a contradiction. 
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Case 4: &n_1, Tn € {i1,%2,...,i~42}. In this case f | follows f = f;||f;|| f;||f;. and any 


two vectors x’, x” © H inthe forms of x’ = (a1,..., @n—2,0,0) and x” = (b),..., bn_2, 0, 1) 











with a;, b; € Fo, 1 <7 <n — 2 have opposite function values. Therefore, we have a con- 





tradiction. 


Remark 5.4.8. References [73], and [74] contain the constructions of normal, or non- 
normal functions based upon some of the functions of Construction 1, namely f;||f2|| fal | A, 


where f; are bent or have some normality properties. 
Finally, we investigate the propagation property of our construction. 


Theorem 5.4.9. [27] If the base functions f,; and f2 in Construction I satisfy the strict 


avalanche criterion, then f satisfies the strict avalanche criterion. 


Proof. We recall that we add two variables x,,_; and x,, when we concatenate the functions. 




















For every vector y € F3, write y = (Yn_2, Yn—1, Yn) With yn_2 € FS 2 We shall show 








the claim for f = f;||,f2||f1||f2, as all the other possibilities are similar. To apply Lemma 











2.3.9, we check f’ = f(x) @ f(x @ a) where a € F of weight wt(a) = 1. We consider 





three possible cases. 


Case 1. Leta = (0,...,0,1). Then, 


f(x) ® f(x @a) (fill f2) %n—2, En—1)Fn B (fil f2) %n—2, Fn-1)2n 


®(fil|fo)(Xn—2, gna ion ® (fill f2)(Xn—2, La) tH 


= (fillf2)(Xn—2,n—1) ® (fill f2) (Kn—-2, Pn-1) 


Oon-2 | | lon-2 | Ogn-2 | | Lpn-2, 


Clearly, it is a balanced function. 
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Case 2. Take a = (0,...,1,0). Then 


f(x) ® f(x ®a) 


= (fillf2) &n—2, G1) Fn B (Fill f2) %n—25 Bn—1) En 


®(fil| fo)(Xn—-2, Daa) hig @ (fill fe) (Xn—2, Cie ea 


= Fil 3) Ppt @ iple.cmes korea ® fi (Kg25 ep ay ® PCG stacy 


Ofi(Xn—2)ln—-1E 10 ® FSS) teats ® fi (eo) tee ® fol Sho pastes 


= filXn-2)En SP) fo(Xn-2)En SP) filXn—2)fn SP) folXn—2)2n 


filXn-2) © fo(Xn—-2) @ Ln. 


which is balanced regardless of f; © fo is balanced or not. 
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Case 3. Take a = (a’,0,0), with wt(a’) = 1. Write x, = x,_2 @ a’. Then, 


f(x) ® f(x a) 


= (fillfa) &n—2,&n—1) tn ® (fil] fa) %n—25 Pn—1) En 


®(fil|.f2) (Xa, Zn—1)En ® (Fill fa) (Ka, Ln—1) Zn 


= fi (Ryo eae @ fa( Ryo ) Ta 4En, @ FilX43)fn-ila @ fal Ko5) TRAE H 


@ fila) initia ® fal Xp) tai Fe ® StS tai ® folXa)n-10 7 


= (f1(Xn—2) ® fi(Xa))En—1En ® (fo(Xn-2) ® fo(Ka))n-1En 


B(fi(Xn-2) B f1(Xa))Fn—14n B (fo(Xn—2) B fo(Xa))¥n—1En 


= (filXn-2) ® filXa))Fn—-1 @ (fo(Xn-2) @ fo(Xa)) ni, 


which is balanced. Since f; and f2 satisfy the strict avalanche criterion, both f\(xp_2) ® 
filXn-2 @ a’) and fo(Xn-2) B fo(Xn_-2 © a’) are balanced. We note that f’ is balanced for 


all the cases. Then, we have 


























for all u € FY with wt(u) = 1. By Lemma 2.3.9, we conclude that f satisfies the SAC. 
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Theorem 5.4.10. [27] With {i, 7} = {1, 2}, if fi, f; satisfy the strict avalanche criterion 
and f;® f; is balanced, then the functions of Construction 2 of the form f;\|f;\\fi\\fis Fill Fil | Fill Fi 


satisfy the strict avalanche criterion. 




















Proof. For every vector y € F3, we write y = (Yn_2, Yn—1, Yn) With yn_2 € ae We 








show the claim in the case f = f|| f2\|f2|| f1, as all the other possibilities are similar. Let 











a © F} of weight wt(a) = 1. We consider these three cases. 





Case 1. Take a = (0,...,0,1). Then 


F(x) ® fea) = (fillfe)(Kn—2,Tn—1)En ® (fall f)(%n—2, Tn—1) Un 


@(fil| f2)(Xn—2, Dit) tan 7) (fol | f1) (&n—2, En—1) Be 


(fi||f2)(Xn—2; Pn—1) ® (fall f1)(&n—2, Fn-1) 


= fi(Xn-2) ® fo(Xn-2) @ 1. 


Since fi (Xn—2) © fo(Xn_2) is balanced, its complement is balanced. 
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Case 2. Take a = (0,...,1,0). Then 


f(x) ® f(x ®a) 


= (fillf2)&n—2, Gn—1) Fn B (fall fr) %n—25 Fn—1) En 


®(fil| fo)(Xn—-2, Daa) hin ® (fall ft) (Xn—2, Pi) La 


= Fil 3) Ppt @ iple.cmes korea ® foe 5) as ® fies) tact 


Ofi(Xn—2)ln—1E 10 ® FSS) teste ® fee ee ee ee ® fi (Xh9 Fp aay 


= (filXn-2) ® fol%n-2))En ® (filXn-2) ® fa(Xn-2))#n, 


i fi(Xn—2) ® fo(Xn-2), 


which is balanced. 
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Case 3. Take a = (a’,0,0), with wt(a’) = 1. Write x, = x,_2 @ a’. Then, 


f(x) ® f(x a) 


= (fillf2) &n—2; &n—1) Fn B (fall fi) K-25 Pn—1)2n 


®(fil|.f2) (Xa, Zn—1) En ® (Fall fi) (Xa, Pn—1) Zn 


= fi (Ryo eae @ fa(Xyo aan, @ fo(Xn—2)En—-12n ® le eee 


@ fila) initia ® fal Xp) tn ile ® fo(Xa)En-12 1 ® fi (5) Seay 


= (f1(Xn-2) ® fi(Ka))En—1En ® (fo(Xn—2) ® fo(Ka))Ln-1En 


B(fo(Xn-2) ® fo(Xa))Fn—1%n B (fi(Xn—2) B f(Ka))¥n—1En 





= (fi(Xn-2) ® fi(Xa))(1 B n_1 B In) B (f2(Xn-2) @ fo(Xa))(Ln-1 B In) 


= (fil%n-2) ® filXa))II(Fo(%n—2) ® fo(Xa))| 


(fo(Xn—2) © fo(Xa))I(fi(Xn-2) ® fi%a)). 


Since f; and f2 satisfy the strict avalanche criterion, both f;(xy_2)® fi(xa) and fo(xn_2)® 
fo(Xa) are balanced. Therefore, f in Case 3 is balanced. Since f’ is balanced for all the 


cases, we have 
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for allu € 











Fy with wt(u) = 1. By Lemma 2.3.9, we conclude that f satisfies the SAC. 
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6. AN APPLICATION OF THE TWO CONSTRUCTIONS 


6.1. INTRODUCTION 


In this chapter, we show an application of the construction methods presented in 
the previous chapter. In 2002, Krause [79] introduced an attack against stream ciphers 
based on the binary decision diagram (BDD). Several researchers have demonstrated the 
effectiveness of BDD-based attacks, and it has been difficult for functions with conven- 
tional cryptographic properties to counter BDD-based attacks. Various BDD-based attacks 
are found in [79], [80], [81], [82], and [83]. One way to counter BDD-based attacks is to 
integrate Boolean functions with robust BDDs [79]. There have been many constructions 
of Boolean functions with high algebraic immunity [77], [84], [85], [86], [87], [88], [89], 
[90], [91], [92], [93], [94], [95], [96], [97], [98], [99], but few took BDD-based attacks into 
consideration. In [100] and [101], Bryant showed that the hidden weighted-bit function 
(HWBF) has an exponential size of BDD regardless of variable order, and in [98], Wang 
et al. extensively investigated the cryptographic properties of HWBF. In this chapter, we 
briefly introduce the concept of the BDD and apply our construction methods from the 


previous chapter to HWBF. This chapter is based on Chung, Stanica, Tan, and Wang [27]. 


6.2. BINARY DECISION DIAGRAM (BDD) 


We mention briefly relevant findings from [102, pp. 202—280], which covers BDDs 
extensively. Essentially, a BDD is a tree that represents a perspective on a Boolean func- 
tion in which redundant nodes are removed. The BDD is an insightful way to represent a 
Boolean function, since it shows how the Boolean function data is stored and handled in a 
computer memory system [102, p. 202]. There are various BDD definitions in technical 
literature. Here, we assume the BDD has ordered vertices or nodes from the lowest at the 
top to the highest at the bottom, and is reduced as we apply the reduction steps explained 


below. We illustrate the BDD using an example from [102, pp. 202—205]. Let a Boolean 
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function, f, be described as in Table 6.1. A graphical way to represent the truth table / is 
using a tree structure shown Figure 6.1. We then apply a reduction algorithm on the tree, 
in which we remove nodes that represent a function also represented by another node in 
the BDD. Then we connect from the first 72 to any 0 node and from the second x2 to any 
1 node. We note that two middle x3 nodes have the same function values, so we combine 
them along with the edges from x2 nodes, which results in a BDD representation of f in 
Table 6.2. A computer memory system can store f in four different memory blocks repre- 
senting the nodes, and each block points to other nodes as indicated by the BDD [102, p. 
203]. The size of the BDD, denoted by BD D(f) is the number of vertices in a BDD. 





X = £1X2x3 | 000 | 001 | O10 | O11 | 100 | 101 | 110} 111 
f(x) 0 0 0 1 0 1 1 1 









































Table 6.1: Truth Table of a Boolean Function f From [102, p. 205] 





Figure 6.1: A Tree Representation of f 


It is shown that every Boolean function has a unique BDD [102, p. 205]. The 
following are some benefits of considering BDD in Boolean function analysis [102, p. 


206]. 


1. From the structural point of view, we can evaluate f(x) in at most n steps by follow- 


ing the edges from the root vertex. 
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Figure 6.2: BDD Representation of f 


2. We can effectively identify the lexicographically smallest x such that f(x) = 1 or 0 


in at most 7 steps. 





3. We can find all x € F¥ such that f(x) = 1 or 0 in O(BDD(f) - n) steps. 











4. We can efficiently generate random solutions to the equation f(x) = 1 such that each 


solution gets generated in an equal probability. 














5. We can solve the linear Boolean programming problem: Find x € F such that 


U121 @ Uel2 B+ ++ PB UnLn = 1, 


subject to 


f(x) =1 
with given constants (w1,W2,...,Un) inO(n + BDD(f)) steps. 


6.3. HIDDEN WEIGHTED-BIT FUNCTION (HWBF) 


6.3.1. Definition of HWBF 


In general, a HWBF h,, takes x = (Xp, 2n_1,.--, 21) aS input and outputs x; , where 


i = Ut x) 
Definition 6.3.1. We define the HWBF of n variable, denoted by h,, as 
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0, if wt(x) =0 
4 ea 


Tacos tf WE). 0 











For example, we can evaluate h4(x4, 73, 22,21) on F§ to obtain Table 6.2. 



































L4UZLQL] ha(%4, £3, €2, £1) LAUZL QL] ha(@4, £3, 2,01) 
0000 0 1000 0 
0001 1 1001 0 
0010 0 1010 1 
0011 1 1011 0 
0100 0 1100 0 
0101 0 1101 1 
0110 1 1110 1 
0111 1 1111 1 























Table 6.2: A HWBF with n = 4 


We observe that h4(0110) = 1 since wt(0110) = 2 (so the second element of 0110 which 
is 1 is the function value). Table 6.3 has the list of HWBFs upto n = 8. 
One of the interesting characteristics of HWBFs is that they have a very large num- 
ber of nodes when represented by a BDD [79]. Specifically, 
BDD(hy) = cx” + O(n’), 


where y * 1.3247 is the positive root of 
=x+1 
and c © 10.75115 [102, p. 206]. 


6.3.2. Affine Structure within HWBF 


In order to implement our construction methods with HWBFs, we need a class of 
functions affine equivalent to the HWBFs. It turned out that a HWBE h., is, in fact, a con- 
catenation of h,,_; and one of it affine-equivalent functions. Let ¢ be the left-rotation sym- 


metric operation on vectors of arbitrary dimension, say $(%p,Up—1,---,21) = (@1,-.-,©3, 22). 
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HWBE of 7 Variable 


01 

0101 

01010011 

0101001100100111 
01010011001001110010011000011111 
01010011001001110010011000011111 
00100110000111100000100101111111 
01010011001001110010011000011111 
00100110000111100000100101111111 
001001 10000111100000100101111110 
00001000011010010001011111111111 
01010011001001110010011000011111 
001001 10000111100000100101111111 
001001 10000111100000100101111110 
00001000011010010001011111111111 
001001 10000111100000100101111110 
0000100001 1010010001011111111110 
0000100001 1010000001011011101001 
00000001100101110111111111111111 























HD [WA vwl || s 




















Table 6.3: Hidden Weighted-Bit Functions 


In [98], Wang et al. showed that the HWBF is a concatenation which can be iterated, as 


shown in the next formula, 


hn (a1, X, yea) = Pig ET, 3; Ln—1)||(hn—1 ° @)(£1,X, a) 


=hn—2(1, X)||(Mn—2 © )(1;X)||Pn—2(%, Pn—1)||(Mn—2 0 P)(Xn-1) (6-1) 











where x = (%,...,%n—2) € oe Noting this phenomenon, we define the function that 


describes the latter half of the HWBF. 
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Definition 6.3.2. Given the HWBF h,,,1, the latter half function of hy+1, denoted by h/, is 


1 if wt(x) =n 


Daugioie 10 Swix) a 1, 


On the other hand, we call the other half, the front half function, which is hn_,;. So, we 


have 


Peta 4 hnllhi,.- 


6.3.3. Cryptographic Properties of HWBF 


Wang et al. extensively investigated the cryptographic properties of HWBFs in 
[98]. We list their findings briefly. Given h,, € B,, where h,, is an HWBE, the following 


statements are true: 
e /h,, is balanced. 


e deg(h,) =n —1 forn > 3. 


h,, satisfies SAC. 


e Let u = (wy, t2,...,Un) and wt(u) = 1. Then, 
n=? 
Wi(u) < (Fa): (6.2) 
2 


h, has nonlinearity 


e 
= 
3 
a> 
© 
Dn 
iS) 
— 
gq 
fo) 
oO 
= 
Sy 
— 
° 
= 
= 
=) 
E. 
K< 


AI (lin) > =| 4, (6.3) 


eh, isa [2 -normal function, and h is not k-normal for any k > [2 : 


Remark 6.3.3. We refer back to Table 6.3. We note the string of 1’s at the end of the truth 
tables for each n. The pattern suggests that given n > 5, we may have at least last n bits to 
be 1. We ask if it is possible to exploit it. If an attack is possible, then what is the best way 


to mitigate the risk? 
6.4. CONSTRUCTION BASED ON HWBF 


For our constructions, we let { f;, f;} = {hy_2, hi,_.}. Then, we have, 
J. n—-2 


Construction 1. 


FUGA AIGA ALANA Ss AIG Al fs 


FIL GIB AIGA GANG GW AIBN GWA. 


Construction 2. 


FAPPLAV EE IANG eA Fl aS alse 
Theorem 6.4.1. [27] Letn > 4 and f,||fo = hn—2 || hg = hn—i, the (n — 1)- variables 


HWBF. Then, all of the functions f from Construction | are balanced of degree max{n — 


2,2}, have nonlinearity 


and have algebraic immunity 
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Al(f) > A=). 


3 
Proof. Clearly, all functions in Construction 1 are balanced since h,_2 and h’,_, are bal- 


anced. Furthermore, for any concatenation g;||g2 € B, where gi, g2 © Bn-1, 


deg(g:||g2) = max{deg(g:), deg(g1 ® go) + 1} 


since 


gillgz = (an @1)gi © Lnge 


In(gi © go) © H- 


Thus, 


deg (fill fall fill fe) max{deg(fi||f2), deg((fill f2) ® (fill f2)) + 1 


= max{n— 2, deg(Ogn-21gn-2) + 1} 


= max{n-— 2,2}, 


where we write 0,, or 1,, for a truth table with the corresponding bit repeated s times. 
Next, we do the computation for only one case. The others are similar. Let f = 


fill fal [fall fe: We show that 


mel @k ee) 


2 
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We use Lemma 5.4.1, with g, = hn_1 = fillfo, go = Sillfo fi = hn—2, and 


fo = hi__. As in the proof of Theorem 5.4.4, we have 


W3(U,Un—1,Un) = (1+ (—1)") Wa (u) + (-1 (1. (-1)™) Wp (a) 





where u € Fy~?, 


Thus, 











W;(u, Un-1; 0) = 2W (u) 


and 


W;(u, Un-1; 1) = 2(—1)“""*W;,(u). 


Since fi(u) = h,—2(u) and f2(u) = h,,_2(u) and max, |W,,,(u)| = As ) by 
ucF, 2 
Equation 6.2, it follows that ; 


W 2 
ee [Wp (U, Un—1, Un)| 


= Dam max, |W;,,,(u)|, max Ha tou = Ce) 
ucF?-? ae 


ucF}~? [ 2 ] 


By Theorem 2.3.4, the nonlinearity of the functions in Construction 1 is 


apae-a(ict) 


We now deal with the computation of the algebraic immunity for the considered 


functions. By Theorem 4 of [98], let 
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Since h,, ~ h/,, we can construct an annihilator of h’, by the same affine transformation 
between h,, and hi,. 


AI(h,) = AI(h!,). 


By the definition of algebraic immunity, 


for any Boolean function g, and also, 


AI (fill fy) = AI(f;ll fi), 


and by Lemma 5.4.3, 


Al (fill fi) = ATAALA), 


fort, f= fle 2}. 

So without loss of generality, we will only consider the case of f = f;|| fa|| fi|| fo. 
Let g = g1||92||ki||k2 4 O be a nonzero annihilator of f. Thus, g,,k, are both annihila- 
tors of f;; and, gz, respectively, kz are annihilators of f2, respectively, f5 such that each 
annihilator is a nonzero function. 

First, since g;||g2 is an annihilator of f (|| fo = hy_1, it follows that deg(g:||g2) = 0, 
if both g; = go = 0, or deg(gi||g2) > dn—1. Also, we observe that deg(g, © kj) is either 
0, if g. = ki = Oor gs = ky A 0. Otherwise, deg(g: 6 ki) > dy_1, since gi ® ky is an 


annihilator of f,. Now, the degree of the concatenation g = 9j||g2||k1||k2 is 


deg(g) = max{deg(gi||g2), deg((g1 ® k1)||(g2 @ ke) + 1}. 
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Next, we analyze the components of the set above. We see that 


deg(g1||g2) = max{deg(g1), deg(g1 © gz) + 1}, 


and 





deg((g1 ® k1)||(g2 ® kz)) = max{deg(gi @ ki), deg(gi ® go @ ki @ ke) + 1}. 





If we minimize max{deg(g, ® ki), deg(gi1 ® g2 ® ki ® kz) @ 1}, we have the worst 


case when g; = ky, and go = ky. Then, 








deg(g) = max{deg(g,||g2),1} > AS "| ie a | 











by Equation 6.3. 





Theorem 6.4.2. [27] Let n > 3 and f;\| fo = hn—1, the (n — 1)-variables HWBF. All of the 


functions f from Construction 2 are balanced, have degree n — 2, have nonlinearity 


have algebraic immunity 





and have the resiliency of order 1. 


Proof. The functions in Construction 2 are balanced regardless of the balancedness of /f; 
and f2 and their complements. We will consider only some cases, since the others follow 


similarly. If there is a noteworthy difference, we will point it out as necessary. Let f = 


fill fell fill fo. Clearly, 


137 


deg(fil| fall full fa) 


max{deg(fi|| fz), deg((fill f2) ® (fillfe)) + 1 


max{n — 2, deg(Ogn-1) + 1} 


max{n — 2,1}. 


n—2 


for n > 3. For the other possibilities, if f = f,|| fo|| fall fi, 


deg(fi|| fal| fall fi) 


max{deg(f1||f2), deg((fillf2) ® (fall fi) + 1} 


max{n — 2,deg((f1 ® fo)||(fo @ fi)) + 1} 


max{n — 2,deg(f, ® fo) +1} 


max{n — 2,n — 2} 
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Next, by Lemma 5.4.1 with 9, = hy = fil|fo, go = fillfe, fi = hyn—2, and 


fo = hi,_», as in Theorem 5.4.4 we have 


Wy(U, Un—1,Un) = (L—(—1)"™)(Wa(u) + (-D W,,(u)) 


= (1 = (ale) Why1(U, Un—1), 











where u € Fy”. We now get 





-3 
max [Wp (U, Un—1,Un)| = a) 


(u,tn—1,Un)EFF [ 2 | 


by Equation 6.2. Therefore, we have 


mara fy) 


2 
by Theorem 2.3.4. 
To show resilience of order 1, we will prove that the functions in Construction 


2 are correlation immune of order | since the function is already balanced. The case 
of fill fall fill fo, or fill fall fill fo, is straightforward. Let f = fi||fo||fol| fi. To show 
correlation immunity of order 1, we need to show that W;(w) = O for any vector w 
with wt(w) = 1 by Lemma 2.3.15. It turns out that this will follow simply by us- 
ing the balancedness of f,; and f2 and not the HWBF property. By Lemma 5.4.1, if 


wt(U, Un—1,Un) = 1, we have 
W,(u, Un—1; Un) = (1 — (—1)""-7*"") (Wy, (u) + (—1)* 7 W,(u)). 
Now, if wt(un_1, Un) = 1, then u = 0. Since f; and f2 are balanced, 


W),(u) = W;,(u) = 0. 
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If wt(Un_1, Un) = 0, we have 


1 — (Shi = 0. 


Therefore, 


W,(u, Un-1; the) a 0, 


where wt(wt(u, Un—1, Un) = 1, and the functions have the resiliency of order 1. 
The computation of the algebraic immunity is similar to the one in the proof of 


Theorem 6.4.1. Let f = f1||,f2\|f1||,f2. We see that 


AI(fil| fa) = AI (fi||f2)- 


Additionally, by the definition of algebraic immunity, the annihilator used to justify 
the AI of f;||f2 or fi||f2 can be the same function. Let g = g:||g. 4 O be a nonzero 


annihilator of f where gi, go € B,_1. The degree of the concatenation g = g1||go is 


deg(g) = max{deg(g1), deg(g1 © go) ® 1}. 


We observe that this value takes a minimum when g; = gz. So we have 


min{deg(g)} = min{max{deg(g,),deg(g1 B gx) & 1}} 


= deg(g1) 
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by Equation 6.3, which gives us AI(f) > |"**]. 











We see that Theorems 5.4.6 and 5.4.7 apply to the normality of the Construction 1 


and 2 functions, respectively. 


Example 6.4.3. We present a snapshot of a performance comparison between the base 
function HWBF and a function of Construction 1. Let f = f; || fo || fi || fo. In Table 6.4, 


one can find the algebraic immunity and nonlinearity of /, compared to the HWBE h,,. 
































n | ALA) | AZ(h) | nlf) | nln) 
7 3 3 52 44 

8 4 4 104 88 

9 4 4 216 186 
10 5 4 432 372 
11 5 5 884 772 
12 5 5 1768 1544 
13 6 5 3592 3172 
14 6 5 7184 6344 
15 6 6 14536 | 12952 























Table 6.4: Algebraic immunity and nonlinearity of the HWBF-based f and the HWBF h 
From [27] 


As for the algebraic immunity, let fg = h,, deg(g) = d and deg(h,,) = e. In Table 


6.5, we present the lowest possible values of (d,e) needed for the fast algebraic attack. 





n 7 8 9 10 11 12 13 
(d,e) | (1,3) | G5) ] €,5) | G7) | d.7) | d,9) | 1,9) 
(2,4) | (2,4) | (2,4) | (2,5) | (2,6) | (2,8) | (2,8) 
(3,3) | G4) | (3.4) | (3,5) | (G5) | (3,6) | G,6) 
(4,5) | (4,5) | (4,6) | (4,6) 
(5,6) 















































Table 6.5: Behavior of the HWBF-based function f against Fast Algebraic Attacks From 
[27] 


Remark 6.4.4. We briefly mention some tentative results on our constructions with the 


Carlet-Feng function. Let f; € Bio be the Carlet-Feng function with the primitive poly- 
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nomial 





and fo(x) = f,(Ax), where 


A= (eq, E€2, €3, €4, €5, €10, €6, €7, €g, €9) 





and e; € F;° is the unit column vector with 1 on the i-th position and 0’s elsewhere. 


Let f = fillfellfillfe € Biz. Then, we computed AI(f) = 6 and nl(f) = 1992. In 











comparison, the nonlinearity of the 12-variable Carlet-Feng function discussed in [96] and 
[97] is only 1970. Also, the recent 12-variable functions constructed by Construction 1 
and 2 of [96] have the nonlinearity at most 1988 and 1982, respectively. Our constructions 


compare well to competitive constructions with good cryptographic properties. 
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7. CONCLUSION AND FUTURE RESEARCH 


Toke CONCLUSION 


In this dissertation, we studied the affine equivalence of Boolean functions, the 
relationship between Boolean functions and graphs, and the construction techniques of 
Boolean functions and their applications. Affine equivalence of Boolean functions still re- 
mains a tough challenge for researchers. We defined S-equivalence, a special type of affine 


equivalence based on permutation of variables, and our research focused on S-equivalence 





of MRS functions and circulant matrices of Fz. We established a relationship between 

















MRS functions and the circulant matrices of F:. We explored the group structure of the 


























circulant matrices of F2 and found a pattern of the square of a circulant matrix of Fj. This 
pattern ultimately helped us to a series of properties of MRS functions of which circu- 


lant matrices are singular, but have pseudo inverses. We showed a condition in terms of 











generating polynomials for a singular circulant matrix in F, to have a general or reflexive 





inverse. We defined a dual function for an MRS function with respect to the inverse of the 
circulant matrix of the function. We then showed that two S-equivalent functions have the 
same degree in ANF, and their dual functions have the same degree. We also showed that 
if two MRS functions of which circulant matrices are P-Q equivalent, they have the same 
degree. Moreover, if the matrices are invertible, their dual functions have the same degree, 
and a circulant matrix of one of the original functions is a permutation of the other. 

We developed an idea to represent an MRS function in a graph using the cycles 
generated by the ordered short algebraic normal form (OSANF) of the function. We illus- 
trated that this graph is regular. We showed that the graph is ultimately determined by the 
sequential differences of the indices of variables in OSANF. We described the relationship 
between this property and the construction of MRS functions. 

We considered two effective constructions of cryptographic Boolean functions, which 


use a base function with strong cryptographic properties, one of its affine equivalent func- 
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tions, and simple construction techniques, namely complementation and concatenation. 
This strategy reinforces the two important requirements for cryptographic functions, namely 
security and speed. Security is clearly a must requirement. However, if a cryptographic 
function requires an unreasonable amount of computing power or hard-to-implement hard- 
ware or software, it cannot be utilized effectively. We presented an application of the 
constructions, using hidden weighted-bit functions. 

In summary, we cleared some trenches on the way to a complete understanding of 
the affine-equivalence problem of Boolean functions. We further presented two effective 


constructions for cryptographic Boolean functions. 
7.2: FUTURE WORK 


In this dissertation, we explored various areas of Boolean functions. We solved 
some related problems in the process, but we could not solve all the problems. We present 


a partial list of problems worth considering. 


1. Prove or disprove “Jf f ~ g with singular matrices Ay and A,, and wt(A(f)) = 
wt(A(qg)), then wt(A(ft)) = wt(A(g')), where ft and g' are pseudoinverses of f 


and g, respectively”. 


2. We propose a thorough analysis of the CCGs. More graph-theoretic, number-theoretic, 
and combinatorial analyses can be done. One can also study the relationship between 
the CCG and cryptographic properties. One can expand the concept of CCG and de- 
velop a CCG-like structure for all RSBFs. 


3. Extend the cryptographic analysis of Constructions 1 and 2 to GAC.,..., etc. Study 


more applications of the constructions using other functions. 


4. The BDD of Boolean functions has an interesting set of operations. Their effects 
on various cryptographic properties of Boolean functions would be a worthwhile 


project. 
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5. HWBFs seem to display predictable patterns in the second half of a truth table. An 
interesting project will be to engineer another class of cryptographic Boolean func- 


tions with high BBD size, but without the predictability. 
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